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Abstract 


Quantum cryptography uses techniques and ideas from physics and 
computer science. The combination of these ideas makes the security 
proofs of quantum cryptography a complicated task. 

To prove that a quantum-cryptography protocol is secure, assump¬ 
tions are made about the protocol and its devices. If these assumptions 
are not justified in an implementation then an eavesdropper may break 
the security of the protocol. Therefore, security is crucially dependent on 
which assumptions are made and how justified the assumptions are in an 
implementation of the protocol. 

This thesis analyzes and clarifies the connection between the security 
proofs of quantum-cryptography protocols and their experimental imple¬ 
mentations. In particular, we focus on quantum key distribution: the task 
of distributing a secret random key between two parties. 

We propose a framework that decomposes quantum-key-distribution 
protocols and their assumptions into several classes. Protocol classes can 
be used to clarify which proof techniques apply to which kinds of protocols. 
Assumption classes can be used to specify which assumptions are justified 
in implementations and which could be exploited by an eavesdropper. 

We provide a comprehensive introduction to several concepts: quan¬ 
tum mechanics using the density operator formalism, quantum cryptogra¬ 
phy, and quantum key distribution. We define security for quantum key 
distribution and outline several mathematical techniques that can either 
be used to prove security or simplify security proofs. In addition, we an¬ 
alyze the assumptions made in quantum cryptography and how they may 
or may not be justified in implementations. 
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In all science we have to distinguish two sorts of laws: 

first, those that are empirically verifiable but probably only approximate; 

secondly, those that are not verifiable, but may be exact. 

- Bertrand Russell, On the Notion of Cause (1913) 
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Notation 


Abbreviation 

Description 

CPTP 

Completely positive and trace preserving 

QKD 

Quantum key distribution 

i.i.d. 

Independent and identically distributed 

POVM 

Positive operator valued measure 

CQ 

Classical-quantum 

CJ 

Choi-Jamiolkowski 

P&M 

Prepare and Measure 


Table 1: List of common abbreviations. 


Term 

Description 

Bit 

A binary digit that is either 0 or 1 

String 

A list of bits (or other numbers) 

Qubit 

A quantum bit, i.e. a two-level quantum system, typi¬ 
cally represented with the basis {|0), 11)} 

Key 

A string that is supposed to be secret 

Seed 

A short random string used as a catalyst to extract ran¬ 
domness from a system 

Key rate 

The ratio of secret key to number of signals in the limit 
as the number of signals goes to infinity 

Error rate 

The ratio of the number of errors in the key to the size 
of the key 

Threshold 

Maximum tolerable error rate 

Active 

A device that requires active control 

Passive 

A device that does not require active control 


Table 2: List of common terms in quantum key distribution and information 

theory. 
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Symbol 

Description 

A,B, C,... 

Quantum systems 

W,X,Y,Z 

Classical systems 

a,D 

Quantum operators 

Jt A 

Hilbert space corresponding to the system A 


n copies of Pif: Pi? ® ® ® 

Tr,Tr A 

The trace and the partial trace of the system A 

^>0?) 

The set of positive semi-definite operators on 

A>B 

An operator inequality equivalent to A — B e 

S = (^f) 

The set of normalized quantum states 

s<Of) 

The set of sub-normalized quantum states 

log = log 2 

The logarithm with base 2 

In 

The natural logarithm 

R,C 

The real and complex numbers 

1 

The identity operator 

id 

The identity superoperator 

p,cr,T 

Quantum density operators 

D{p, a) 

Trace distance between p and cr 

F(p,cr) 

The generalized fidelity between p and cr 

P(p,o-) 

The purified distance between p and cr 


The Hermitian adjoint of operator X 

X T 

The transpose of operator X 

x- 1 

The generalized inverse of operator X 

II^IL 

The operator norm of operator X 

imii 

The trace norm of operator X 

[n] 

The set of integers {1,2,..., n} 


Table 3: List of commonly used symbols and expressions. 
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Chapter 1 

Introduction 


Physics aims to describe our physical reality so that we can make pre¬ 
dictions about our universe. With mathematics as its backbone, physics 
has been the most successful way humanity has devised to describe the 
physical world, allowing us to reach the technological advancement we 
have today Usually the fundamental theories of physics have a simple de¬ 
scription. This fact is a remarkable feature of our universe! We can reduce 
the complicated phenomena we observe to mathematical models. How¬ 
ever, this raises two questions. Firstly, do the models we use to describe 
reality are actually what we mean by ‘reality?’ It is ambiguous what the 
difference is between the models we use to describe reality and what we 
mean by ‘reality.’ Secondly, do our descriptions properly describe the way 
nature works or will we continually find that our models are never accu¬ 
rate enough? Maybe it is continually necessary to update our models as 
we do new and more accurate experiments that go beyond what we have 
done previously. 


Consider Newton’s law of gravity. If there are two point masses m 1 
and m 2 with a distance r between them, then the strength of the force that 
they exert on each other is 


F = 


Gm l m 2 


( 1 . 1 ) 


where G is the gravitational constant. 


How do we know that this is the way gravity works? First, you could 
imagine performing an experiment where you try different masses for m 1 
and m 2 separated at different distances and measure the force between 
them. Then you could see that Eq. 1.1 seems to describe the value of 
the force within a certain level of accuracy. As more and more precise 
experiments are performed, by more accurately measuring the masses and 
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distances, a better estimate on the exact value of the gravitational constant 
G could be obtained and it could be determined if Eq. 1.1 holds. Not 
only can we perform more accurate experiments, but we can also push 
the boundaries of these parameters. We can try very large or very small 
masses, as well as very large and very small distances. In these two ways, 
we can test whether Eq. 1.1 describes reality or not. 

Sometimes laws like Eq. 1.1 are interpreted as not just a model for 
reality but as reality itself. That reality is the model. However, this equiv¬ 
alence is not true! Physics can only make models for physical reality; we 
never have direct access to reality itself. 


There are two ways in which Eq. 1.1 can fail. The first is that this 
model may be fundamentally wrong because there are ranges of parame¬ 
ters or a level of accuracy where the model no longer describes reality. For 
example, there could be a term we can add that just has a small influence 
on the force, such as 


F = 


Gm 1 m 2 Gm 1 m 2 
-^ he ;—, 


( 1 . 2 ) 


for a small constant e. Maybe we have not performed an experiment that 
is accurate enough to find this small deviation. Maybe one of the assump¬ 
tions that is made about Newton’s law of gravity, such as the uniformity 
of three-dimensional space, is wrong. Only by doing more experiments, 
trying to increase the ranges of the parameters, can we see in which situa¬ 
tions our models are applicable. Indeed, we now know that Newton’s law 
of gravity is actually a special case of general relativity. Many situations 
deviate from Eq. 1.1, such as the orbit of planet Mercury [Le 59]. 


The second way the model can break down is if the experimental con¬ 
ditions are not ideal. For example, in practice there are no point masses, 
so does Eq. 1.1 still apply to reality? For many practical purposes, indeed 
it is applicable. If the masses are very far apart, then they can be treated 
approximately like point particles. By using approximations, simple math¬ 
ematical models like Eq. 1.1 can be very successful. They describe the way 
the world works with surprising accuracy and applicability in a variety of 
situations. 


This thesis concerns itself with this second way that reality deviates 
from the models used to describe it: when the approximations and as¬ 
sumptions we make in order to apply a model to a physical situation are 
no longer true. Enter cryptography. 

Cryptography is the field of study of tasks in the presence of an ad¬ 
versary. One general task in this field is to enable separated people to 
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communicate without giving away any information to an eavesdropper 
who tries to figure out what they are communicating. 

In contrast to physics, cryptography and its parent field, computer sci¬ 
ence, start with an idealized model, which is implemented using physical 
devices. This strategy makes the construction of protocols easier to work 
with, as they are precisely defined. To show that a cryptographic protocol 
is secure against an adversary can be (relatively) straightforward because 
a precise model is used that avoids the two types of deviations mentioned 
above. However, there may be imperfections with the physical devices 
used to implement the cryptographic protocol. The security may be com¬ 
promised by imperfections, since these imperfections may leak informa¬ 
tion to an eavesdropper or decrease the efficiency so that the protocol no 
longer accomplishes the goal it was designed for. For example, the amount 
of power a computer uses may tell an adversary what calculation it is run¬ 
ning. As another example, two people may want to communicate securely 
over the internet but imperfections may lead to a leak of their secure mes¬ 
sages to an eavesdropper. This potential information leakage means that 
better cryptographic models are necessary in order to guarantee security 
in real implementations. It is not enough to prove that a protocol is secure 
in an idealized setting. 

Information is inherently physical, since implementing cryptographic 
protocols requires the use of physical devices. This means that the discon¬ 
nect between the models of cryptography and cryptographic implemen¬ 
tations is actually the same problem as with the models of physics and 
physical reality. This relationship is especially apparent in quantum cryp¬ 
tography where quantum physics is used to perform cryptographic tasks. 
Usually these protocols are described in an idealized setting and then secu¬ 
rity is proved in these settings. While this idealization is useful, especially 
when showing that a certain protocol can be secure in principle, it does 
not say very much about whether any actual implementation is secure or 
not. 


There is an additional challenge: how do we prove that an imple¬ 
mentation of a protocol is secure? There have been several efforts to close 
the gap between the idealized models and their actual implementations. 
However, much work remains to ensure that the models are robust and 
realistic enough to be applicable with minimal assumptions. This thesis 
aims to clarify this connection. 

A model can always be applied to an implementation if enough as¬ 
sumptions are made. Therefore, security of a cryptographic protocol is 
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proven under a set of assumptions. To apply this security proof to an im¬ 
plementation, the assumptions need to be justified (i.e. devices need to be¬ 
have as modelled). If they are not justified, then an adversary may break 
the security by exploiting this imperfection. It is therefore extremely im¬ 
portant that the assumptions made are clearly presented and understood, 
so that cryptography can be implemented in a way that is as secure as 
possible. There are two kinds of assumptions: those that are fundamental 
(such as that quantum mechanics is correct) and those that are practical 
(such as the characterization of a device). These latter assumptions are 
the ones that adversaries can exploit and therefore need to be justified. 

This thesis will focus primarily on quantum key distribution, but many 
of the implementations of protocols in quantum cryptography use the same 
physical devices and have similar assumptions. In the assumptions chapter 
(Chapter 4) many of the issues discussed will be applicable to quantum 
cryptography in general. 

The reader should have a basic understanding of quantum mechanics, 
including operators, the quantum harmonic oscillator, Dirac notation, and 
Hilbert spaces. In addition, the reader should have some mathematical 
knowledge of linear algebra and statistics. 

We take an abstract approach to the field of quantum cryptography 
and in particular, quantum key distribution. This approach will give us the 
advantage of starting with simple quantum systems. Various protocols in 
quantum cryptography can then be defined without having to deal with 
the physical devices used in their implementations. This abstraction sets 
the foundation for the two goals of this thesis: how security can be proven 
for quantum key distribution and how these security proofs correspond 
to implementations. We will not present a complete security proof for a 
protocol, but instead describe several tools and outline how they are used 
to prove security. This framework has the advantage that we can sepa¬ 
rate the techniques and challenges of proving security for idealized models 
from the techniques for connecting these idealized proofs with implemen¬ 
tations. Then we will explain how these protocols may be implemented 
such that a secure model applies to experiments. As we will see, there 
are many challenges to overcome to bridge the gap between the perfect 
models and the physical devices in quantum cryptography. 

In this introduction we will start with an overview of quantum cryp¬ 
tography and some of the protocols that are illustrative of what kinds of 
tasks are possible in this field. Then, quantum key distribution will be 
introduced. We start out with describing simple models for several proto¬ 
cols and introduce various abstract resources that are needed to perform 
quantum key distribution. 
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1.1 Quantum Cryptography 


1.1 Quantum Cryptography 

Quantum cryptography uses quantum states and quantum maps to 
perform communication or computational tasks in a secure way There 
are several tasks and protocols that have been studied, each with a spe¬ 
cific goal they try to accomplish. Many of these protocols share similar 
resources, so before describing particular protocols in quantum cryptogra¬ 
phy, we list a few resources which are often used. 

The protocols used in quantum cryptography usually involve two par¬ 
ties called Alice and Bob. They are named in order to simplify discussions 
of the protocol. Also, there may be a malicious third party, Eve, who tries 
to stop Alice and Bob’s cryptography protocol or try to learn information 
that is supposed to be hidden from her. 

1.1.1 Resources 

One of the basic resources for communication and cryptography are 
channels. Channels allow communication between two or more parties and 
are usually specified by which kind of messages they allow to be transmit¬ 
ted. For example, a channel may only transmit classical messages or it may 
allow for quantum states. Also, the channel may be authenticated, which 
means that if one party, Alice, sends a message to another party, Bob, then 
Bob knows that the messages he receives from this channel must have 
come from Alice and not from an eavesdropper, Eve. Eve will have access 
to the communication in an authenticated channel, but she will not be able 
to change it. 

Channels have three eavesdropping models. Secure channels only 
allow communication between the communicating parties and no eaves¬ 
dropper can get any access to the communication. However, the eaves¬ 
dropper may learn the length of the communication sent through the se¬ 
cure channel. Public channels announce their messages to any eavesdrop¬ 
pers in addition to the communicating parties but the eavesdropper can¬ 
not interfere with the communication. Finally, a channel may be insecure, 
which means that Eve can interfere with the signal sent through the chan¬ 
nel as much as she likes. For example, for a quantum channel, Eve could 
apply any quantum map to the signals jointly with an ancillary system of 
her own. 

A classically authenticated public channel between two parties can 
be constructed from an insecure channel and a shared secret key. The 

: A key is a string (e.g. a list of numbers) in cryptography that is supposed to be unknown 
to an adversary. 
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key does not need to be uniformly random, but may instead have a lower 
bound on its entropy [RW03] . 

Another resource is a source. Sources are either classical or quantum, 
and produce either random variables with particular distributions (in the 
classical case) or quantum states. There are also measurements. These take 
quantum states as input and have a classical output. 

Lastly, there is randomness. This is a string of bits that is (preferably) 
uniformly random at a fixed length. For some applications it can be suffi¬ 
cient to have a non-uniform random string but there may be a guarantee 
of having a certain amount of randomness, such as a lower bound on the 
min-entropy with respect to an eavesdropper (see Defn. 2.3.6). 


1.1.2 Quantum-Cryptography Protocols 

Now that we have outlined typical resources, we describe some ex¬ 
amples of protocols in quantum cryptography to give a brief overview of 
the field. 

Sometimes in the literature the term quantum cryptography is used 
synonymously with quantum key distribution though this is not correct. 
There are a wide variety of quantum-cryptography tasks. 

Many of the protocols below have analogous protocols in a classical 
setting but using quantum states or quantum computers often have an 
advantage over what is possible classically. 

• Secure quantum distributed computing 

Secure distributed computing can be related to many tasks where 
one party, Alice, wants an untrusted party, Bob, to implement a 
computation for her. One such protocol is quantum homomorphic 
encryption: Alice, who usually only has a simple quantum device, 
wants to get the result of a computation [RFG12]. She then asks Bob 
(who has a quantum computer) to do this computation for her. How¬ 
ever, Alice does not want Bob to find out what her data is. To accom¬ 
plish this secure computation, Alice encodes her data and sends it 
to Bob, Bob applies the computation on the encoded data and sends 
the output to Alice who then decodes the output. Ideally, Bob’s com¬ 
putation does not reveal any information about Alice’s data to Bob 

2 A string is a list of characters (but for our purposes, these characters will just be num¬ 
bers), and bits are the binary numbers that are either 0 or 1. 
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and Alice’s decoded output should correspond to the computation 
applied to her original unencrypted input. For homomorphic encryp¬ 
tion Bob knows what computation is being performed. 

Quantum homomorphic encryption has been shown to be possible 
with perfect security [Lial3], and it is possible using boson sampling 
[RFG12]. 

Another distributed computing protocol is blind computation. It is 
the same protocol as homomorphic encryption, except it should be 
even more secure: Bob should not know what the computation is 
either. In this case, Alice sends Bob an encrypted description of 
the computation she wants to be performed on her encrypted data 
[Chi05], Bob can input this encrypted description into his quantum 
computer to tell it what computation to perform. At any stage in the 
computation Bob should not be able to figure out what Alice’s data 
is or what computation is being applied. 

Blind quantum computation is both possible for arbitrary quantum 
computations [BFK09] and efficient in the amount of communica¬ 
tion needed and the simplicity of the quantum device Alice needs to 
interact with Bob [GMMR13, MPDF13], Also, the situation where 
Alice can do quantum measurements has been considered [MK13]. 

In general, distributed computing is secure, even under composition 
with other protocols (see Section 3.2.4) [DFPR13]. Classical dis¬ 
tributed computing can also be enhanced by using quantum devices 
[DKK14] . However, if Alice only has classical devices then she cannot 
perform quantum distributed computing securely [MK14]. 

• Quantum coin flipping 

Quantum coin flipping is designed to have two mutually distrustful 
parties, Alice and Bob, jointly flip a coin. Even if one of them tries 
to influence the coin flip, the flip should still be uniformly random 
[BB84]. While the coin flip cannot be performed perfectly [LC98, 
May97], it can be performed with a bound of 1/ \/2 on the probability 
a dishonest party gets the outcome they want [CK09]. While this 
scenario is called strong coin flipping, the task of weak coin flipping 
is where Alice wants to bias the coin to one result and Bob wants 
to bias it to the other. In this case the probability a dishonest party 
gets the outcome they want is 1/2, which is the optimal achievable 
bound on the bias [Moc07, ACG + 14]. 

It is important to note that quantum coin-flipping protocols can al¬ 
ways outperform classical ones [ATSVYOO] . Coin flipping has been 
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implemented [BBB + 11] and has applications in other areas of quan¬ 
tum information [DL09] . 

• Quantum zero-knowledge proofs 

Zero-knowledge proofs involve two parties, a prover and a verifier, 
where the prover tries to convince the verifier that a certain state¬ 
ment is true without revealing any information about the proof, only 
that the statement is indeed true. This task is usually done in a prob¬ 
abilistic way so that the verifier will be certain with high probability 
that the statement is true [Wat02] . 

As a classical example of a zero-knowledge proof, consider a colour¬ 
blind Bob who has two spheres that are identical, except one is red 
and the other is green. Bob cannot tell them apart, but Alice, who 
is not colour blind, can still prove to Bob that they are different. 
Bob takes one sphere in each hand, which Alice can see, and then 
secretly either leaves them that way or switches which hand holds 
which sphere. Alice can then tell whether Bob made a switch or not. 
If Alice can tell them apart, then after many repetitions of the game, 
Bob will be convinced the spheres are different. If Alice cannot tell 
them apart then Alice will not be able to guess what Bob did and will 
probably make a mistake in guessing whether Bob did a switch or 
not. 

Another related task is zero-knowledge proof of knowledge, where 
the prover not only tries to prove that something is true but that 
they have access to the proof [Unrl2]. For example, not only that a 
signature from a trusted authority exists but that the prover has such 
a signature. 

Zero-knowledge proofs can be used in cryptography to ensure that 
honest parties are indeed honest, without needing to reveal any 
other information and ensures that the quantum-cryptography pro¬ 
tocol does not leak any additional information to an eavesdropper or 
a dishonest party. Zero-knowledge proofs also have applications to 
the hardness of determining whether the output state of a quantum 
circuit is entangled or separable (see Section 2.2.1) [HMW13]. 

Some classical and quantum zero-knowledge proofs can be secure 
against verifiers who either try to get some information about the 
proof or provers who try to lie about knowing that the statement is 
true [Wat06] . Some classical zero-knowledge proofs are not secure 
in the quantum setting [ARU14]. The connection between classi¬ 
cal and quantum zero-knowledge proofs has been analyzed [CK08] . 
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Also, quantum zero-knowledge proofs can be constructed based on 
quantum bit commitment (see below) [RdN08] . 

• Random number generation 

Random numbers are useful for a variety of tasks, such as online 
gambling, computation, and cryptographic protocols. In classical 
computation, pseudorandom numbers are often used and are suf¬ 
ficient for many applications. Pseudorandom numbers are generated 
through a deterministic process but may appear under some statis¬ 
tical tests to be random. However, for cryptography, it can be com¬ 
pletely insecure to use pseudorandom numbers in the place of truly 
generated random numbers. 

Random numbers can only be produced from physical processes that 
are stochastic. Examples include atmospheric noise, thermal noise, 
or quantum processes. Quantum devices can produce randomness 
with relatively simple devices and rely on the randomness inherent 
in quantum mechanics, since measurement outcomes sample a prob¬ 
ability distribution. It has recently been shown that quantum ran¬ 
dom numbers can even be extracted by using the camera in a mobile 
phone [SMZG14]. 

Random number generation is a cryptographic task because random¬ 
ness is defined as having some information (such as a string of bits) 
that is independent of any adversary who tries to get information 
about the randomness during its generation. 

There are related tasks, such as trying to amplify randomness: by 
starting from a small string of randomness (called a seed) a larger 
string of randomness can be constructed [CR12a]. Some recent re¬ 
sults show that any information that is not completely determinis¬ 
tic can be made completely random, even in the presence of noise 
[GMD + 13, BRG + 13], Also, randomness can be extracted from de¬ 
vices without making assumptions about the structure of the devices 
used [C 0 IO 6 , PAM+10]. 

• Quantum oblivious transfer 

Oblivious transfer involves one party, Alice, who has a list of possi¬ 
ble messages, and another party, Bob, who wants to learn one of the 
messages [Wie83] . However, Alice should not learn which message 
Bob asked for and Bob should not be able to get any information 
about any of Alice’s other messages except for the message he re¬ 
quests. This protocol would ideally work even if Alice or Bob tries 
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to behave adversarially. In general, oblivious transfer protocols are 
denoted as “/c-out-of-n”, meaning that Bob requests k messages from 
the total, n. The simplest oblivious transfer protocol is then 1-out-of- 
2. 

As with coin flipping, this protocol cannot be implemented perfectly: 
Alice may learn which messages Bob requested and Bob may be 
able to get access to some of Alice’s messages he did not request 
[May97, LC98], The minimum probability that Alice or Bob can 
cheat in this protocol and not be detected is 2/3 [CGS13]. If addi¬ 
tional assumptions are made, such as that the adversary has a limit 
on her computational power (in the classical case) or can only store a 
certain size of quantum system (in the quantum case) then oblivious 
transfer is possible [DFSS06] . 

• Quantum bit commitment 

Quantum bit commitment is closely related to coin flipping, zero- 
knowledge proofs, and oblivious transfer. It is the task of having 
one party, Alice, commit to a value that is hidden until a later point 
when she will reveal the value. To implement this protocol, Alice 
sends a quantum state to Bob that will contain an encrypted version 
of her committed value. At some later point she will reveal her value 
by telling Bob how to decode the encrypted value from the state 
he received. The protocol is secure against a cheating Alice if Alice 
cannot change the value after she has committed to it. The protocol 
is secure against a cheating Bob if Bob cannot learn the value before 
Alice chooses to reveal it. However, quantum bit commitment is not 
completely secure against a cheating Alice or a cheating Bob unless 
additional assumptions are made [LC98, May97, BCMS97]. 

The optimal bound on the probability that Alice changes her com¬ 
mitment without being detected in this setting is 0.739 [CK11], If 
special relativity is used with quantum mechanics, then bit commit¬ 
ment can be made secure against a cheating Alice [Kenll, Kenl2b, 
Kenl2a, CK12]. Also, if additional assumptions are made about the 
capabilities of Alice and Bob, quantum bit commitment is possible 
and can be implemented with current technology [LAA + 14]. 

• Quantum key distribution 

The goal of quantum key distribution (QKD) is to distribute a secret 
random string of classical bits between two (or more) trusted parties. 
That is, they want to have a string of bits (see Footnote 2) that are 
identical and unknown to an eavesdropper that has tried to figure 
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Alice 


Bob 


00111100111111 Message 
+ 10101000101010 Key 

10010100010101 Ciphertext 


Authenticated 

Classical 

Channel 


10101000101010 Key 
■>+ 10010100010101 Ciphertext 

00111100111111 Message 


Figure 1.1: The one-time pad protocol. Alice and Bob share a secret key that is 
at least the length of a message. Alice adds her key to her message (modulo 2), 
which encodes the message as a ciphertext. Alice sends the ciphertext to Bob 
through an authenticated classical channel. Bob can determine Alice’s message 
by adding the key to the ciphertext (modulo 2). 


out what the string is by listening to or modifying the communication 
between the parties. In order for the string to be secret, it should be 
random, which means that there is an equal probability of getting 
a 0 or a 1 at every position in the string, independent of any other 
bit in the string as well as any other information. The string in this 
context is referred to as a key. 

Secret random classical strings are useful for a variety of tasks in 
cryptography and computer science. One straightforward use is as a 
key for the one-time pad encryption (also called the Vernam cipher) 
[Mil82, Verl9] . It is a protocol that allows for two parties to commu¬ 
nicate privately (i.e. to construct a private channel) by using a secret 
random classical string that they share and an authenticated public 
classical channel. Alice encodes her message by adding it bit-wise 
mod 2 to her key (see Fig. 1.1), which results in a string called a 
ciphertext. Alice sends the ciphertext through an authenticated clas¬ 
sical channel to Bob. Then, since Bob has the same key, if he adds 
the key to his received message, he gets Alice’s original message. 

In order to distribute a secret random string several resources are 
needed. Alice and Bob will use an insecure quantum channel to send 
quantum states to each other. Alice and Bob will also need to com¬ 
municate classically, which they do through an authenticated clas¬ 
sical channel. They will also need some randomness which may be 
used to choose measurement settings or for classical post-processing. 

Since an authenticated channel is used for QKD, QKD has also been 
referred to as a quantum key growing or a quantum key extending 
protocol, since it often uses an authenticated channel constructed 
from a shared secret key that Alice and Bob share. QKD then extends, 
or grows, this key. Other authentication schemes can be used which 
do not require an initial shared secret key, such as in [MSU13]. 
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While this thesis focuses on QKD, many implementations of quantum- 
cryptography protocols use similar devices, and therefore many of the is¬ 
sues discussed throughout this thesis will also apply to other quantum- 
cryptography protocols. 


1.2 Quantum Key Distribution 

The task of distributing random secret keys can be accomplished with¬ 
out performing quantum key distribution (QKD). Instead of going through 
the trouble of using quantum mechanics, keys could be distributed by us¬ 
ing a source of randomness and then copying this randomness onto two 
hard drives, where Alice keeps one and gives the other to Bob. Also, why 
do we need quantum key distribution in combination with the one-time 
pad for secure communication if we can use current classical cryptography 
used for online security today? 

There are several advantages that QKD provides over other alterna¬ 
tives [SBPC + 08, SK09]. Current classical cryptography is usually based 
on the assumption that a particular mathematical problem is hard, such 
as factoring large integers [DH76]. Using this kind of cryptography car¬ 
ries the risk that it may be broken if a classical algorithm is invented that 
is faster at factoring large numbers than what is currently known. Also, 
if and when quantum computers are built, they can factor large integers 
efficiently using an algorithm by Shor [Sho99]. Furthermore, even if a 
problem is hard to solve, it can still be solved! So if an eavesdropper 
has enough time and computing power they can always decode the secure 
communication. For information that must be secret for a long period of 
time, classical cryptography may not be sufficient. 

In contrast to classical cryptography, QKD does not rely on the com¬ 
putational difficulty of a mathematical problem but instead it relies on 
information-theoretic security, which means that the probability that an 
eavesdropper gets any information about the key can be made incredibly 
small, no matter what computational power an eavesdropper has at their 
disposal. There are other notions of security but these rely, for example, 
on computational hardness assumptions. 

QKD also has an advantage over the distributed hard drive scenario 
above, since it can make arbitrary long keys from an initial seed. New hard 
drives would have to be distributed to extend the key in the other scenario. 

QKD also has some disadvantages over classical cryptography. Due to 
losses and errors QKD cannot be done over distances longer than ~ 200- 
300km with current technology [SBPC + 08, XQLL13, KLH + 14]. However, 
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it may be possible in the future to use satellites to extend this distance 
[MSYM+11, WYL+12, Qil4, RKKM14, VBD+14]. Also, the speed at which 
a secure key can be generated is typically much slower than what is pos¬ 
sible with current classical cryptography Lastly, some assumptions that 
are needed for a quantum-cryptography protocol to be secure are imprac¬ 
tical or not yet possible with current technology These are some of the 
challenges that QKD faces in order to become more widely used. 

In this section, we discuss the structure that QKD protocols follow 
Then we list several protocols and how they would be implemented in an 
ideal way We categorize QKD protocols by whether they have discrete or 
continuous measurement outcomes, as the devices used in these two kinds 
of protocols are different. We also discuss device-independent protocols 
that do not make assumptions about the structure of the devices or the 
states used in the protocol. 


1.2.1 General QKD Structure 

Almost all QKD protocols follow the same general structure. We will 
focus on bipartite QKD, where there are two parties, Alice and Bob, who 
are trying to construct a shared secret random string. However, there are 
also schemes for multi-party QKD [CabOO, LLKO04] . 

First, there is a quantum stage followed by a classical stage. In the 
quantum stage, Alice and Bob send quantum states to each other, or per¬ 
haps only Alice sends states to Bob, through an insecure quantum channel. 
These quantum states are associated with classical bits that Alice and Bob 
are trying to communicate to each other. The classical stage, usually called 
classical post-processing, is performed on their measurement outcomes to 
correct any errors due to noise in the quantum channel or in their de¬ 
vices. Also, an eavesdropper could have interfered with the signals, and 
they need to ensure that any knowledge an eavesdropper has gained is 
removed. 

In classical post-processing there are usually at least three steps: pa¬ 
rameter estimation, information reconciliation (also sometimes called er¬ 
ror correction), and privacy amplification. Alice and Bob will need to 
communicate classically for the classical post-processing and they need 
to know that an eavesdropper does not interfere with this communication, 
so they use an authenticated classical channel. 

Typically, there is an asymmetry in the quantum stage of the pro¬ 
tocol between Alice and Bob. For example, Alice may prepare quantum 
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states that Bob measures. This implies that the classical data that Alice 
and Bob hold after the quantum stage come from different sources. Al¬ 
ice may have prepared a uniformly random string to pick which quantum 
states she prepares, while Bob gets his classical data from the output of a 
quantum measurement. This creates an asymmetry in the classical post¬ 
processing, which can be performed in one of three ways. The first way, 
called direct reconciliation, is if Alice only sends classical information about 
her string to Bob and Bob does not tell Alice anything about his string. If 
the roles of Alice and Bob are reversed, so that Bob only sends classical in¬ 
formation about his string to Alice, then this is called reverse reconciliation. 
Direct and reverse reconciliation are one-way classical post-processing. De¬ 
spite that the communication is one-way, the other party, such as Bob in 
direct reconciliation, may need to communicate some auxiliary informa¬ 
tion to Alice, such as whether they should abort or continue the protocol 
(see below for more information on aborting). 

They can also implement the post-processing by using two-way com¬ 
munication, where Alice and Bob send information to each other about 
their strings. Typically one-way communication is considered since it is 
usually easier to analyze and sufficient to perform the post-processing. 
Throughout this thesis we will assume that direct reconciliation is being 
performed. 

The first step of classical post-processing is parameter estimation, 
where Alice and Bob can get some statistical knowledge about their strings 
in order to figure out how many errors they have and also how much 
information an eavesdropper may have on their strings. Then they use 
the information they learned from parameter estimation to perform an 
information-reconciliation step to correct any errors between their two 
strings. After this subprotocol they should have the same string (at least 
with very high probability). They finish with privacy amplification, in or¬ 
der to remove any information that an eavesdropper may have about their 
strings (at least with very high probability). In order to perform the clas¬ 
sical post-processing, Alice and Bob need a source of randomness (see 
Section 3.3). 

Note that after parameter estimation they may see that their strings 
have a large fraction of errors between them. In this case they have 
to abort the protocol since an eavesdropper could have gained so much 
knowledge about their strings that no amount of privacy amplification 
would make their key secure. We call the number beyond which the er¬ 
ror rate (or other statistical quantity) cannot exceed the threshold of the 
protocol. To find this threshold, the parameters of the protocol need to be 
analyzed (see Section 3.3.4). 
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Parameter Estimation 

Parameter estimation in QKD is the task of using statistics on a small 
sample of Alice’s and Bob’s strings to estimate a global property of those 
strings. For example, the number of errors between Alice’s and Bob’s 
strings can be estimated from a small sample by using Chernoff-Hoeffding 
type bounds [Che52, Hoe63, Ser74] (see Lemma 3.3.4). These bounds are 
statistical inequalities that state that if a random subset of data is known, 
then a statistical property of the sample must be close to the statistical 
property of all of data. In the example of estimating the number of errors, 
Alice communicates to Bob a fraction of her string and Bob finds that they 
have an error fraction (also called an error ratio or error rate), say, of 5%. 
Then they know that the total error rate of their strings is (with high prob¬ 
ability) close to 5%. The closeness is exponentially close in the size of the 
sample (see Lemma 3.3.4). 

Parameter estimation can be accomplished if Alice sends Bob a small 
sample of her string through the authenticated classical channel. Bob can 
then tell Alice what error rate he sees so that Alice also knows the error 
rate. If they see that their error rate is beyond the threshold allowed, they 
abort the protocol. Otherwise, they continue. 

See Section 3.3.3 for the details of parameter estimation. After Alice 
and Bob have done the estimation, they are ready to correct the errors 
between their strings. 

Information Reconciliation 

In information reconciliation, Alice and Bob try to correct the errors 
between their strings which may have been caused by an eavesdropper or 
noise in the channel and devices they used. They want to communicate a 
minimal amount of relevant information to each other over the classically 
authenticated channel so that they can correct any errors. From parameter 
estimation they have an estimate on the number of errors between their 
strings, so they just need to figure out where their errors are [WC81]. 

The information-reconciliation procedure may be probabilistic so that 
with high probability it succeeds in correcting all the errors and with a 
small probability it does not. Alice and Bob may have to check if error 
correction has succeeded or not. Therefore, they can communicate a small 
amount of information to ensure they have the same string after their error 
correction. 

See Section 3.3.2 for the details of how information reconciliation can 
be implemented. 
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Privacy Amplification 

After information reconciliation, Alice and Bob have the same strings. 
Now they need to remove any information an eavesdropper may have 
learned about their shared string. Privacy amplification achieves this task 
at a cost of reducing the size of Alice and Bob’s string [BBCM95], The 
shorter they make their shared string, the more secure their shared string 
will be. 

Note that the eavesdropper gets information about Alice and Bob’s 
string in one of two ways. One is through manipulating the quantum 
states during the quantum stage of the protocol. The other is by using the 
information that is sent through the authenticated classical channel, which 
includes the communication used for parameter estimation, the commu¬ 
nication used to correct the errors during information reconciliation, and 
the communication to make sure the error correction procedure has suc¬ 
ceeded. 

For the details of privacy amplification, see Section 3.3.1. 

We now list common QKD protocols in two categories that classify 
what kind of states are used (see Section 3.4.1 for the full classification of 
QKD protocols). First, there are discrete protocols that have measurements 
with discrete outcomes, and second, there are continuous-variable proto¬ 
cols that have measurements with continuous outcomes. We present the 
protocols here in their idealized form for clarity of exposition and leave 
the details of their implementations for later (Chapter 4). We will also 
discuss the current status of the security of these protocols. In the assump¬ 
tions chapter (Chapter 4), we will discuss how these protocols are actually 
implemented and how these implementations differ from their idealized 
form. 


1.2.2 Discrete Protocols 

Discrete protocols have at least one quantum measurement whose 
outcomes come from a (usually small) discrete set. Typically, they are 
modelled in an ideal setting by the encoding of classical bits in finite¬ 
dimensional quantum states. 

First, we list several protocols that use qubits (i.e. two-level quantum 
systems) as the quantum states that are sent through the quantum channel 
and then we will list some protocols that are still discrete but do not use 
qubits for their quantum states. 
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Alice Bob 



Figure 1.2: The BB84 protocol. Alice prepares one of the four states 
{|0), 11), |+), |—)} with equal probability and Bob measures in the X basis 
({!+)> I - )}) or Z basis ({|0), 11)}) with equal probability. 


BB84 


BB84 was the first QKD protocol, developed in 1984 by Bennett and 
Brassard (hence the name) [BB84] . It is probably the most analyzed QKD 
protocol, not only due to it being the first, but also due to its simplicity 
and symmetry. The BB84 protocol has several security proofs that apply 
under various assumptions, for example [LC99, MayOl, May96, BM97, 
SPOO, KP03, GLLP04, Ren05, KGR05, RGK05, TLGR12, FNL12], 


The protocol is defined as follows. First, Alice prepares one of four 
qubit states 


10 ), [!),[+): 


10 )+ | 1 ) 
V2 


10)-ID 
V2 


(1.3) 


and she sends them through an insecure quantum channel to Bob (see 
Fig. 1.2). Bob randomly chooses one of two bases ({|0), 11)} or {|+),|—)}) 
uniformly at random to measure each signal he receives (see Defn. 2.2.10). 
These bases are often referred to as the Z and X basis respectively, since 
they are the set of eigenvectors of the Pauli matrices 


cr z = 




(1.4) 


Whenever Alice or Bob send/measure the states |0) or |+) they store a 0 in 
their classical computer and whenever they send/measure |1) or |—) they 
store a 1. They now both have a string of bits. 


Alice then classically communicates which basis her states were in and 
Bob tells Alice which bases he measured in. Alice and Bob throw away the 
bits where Bob’s measurement basis and Alice’s signal do not match. This 
step of checking their bases and throwing away these bits is called basis 
sifting. They continue on to the classical post-processing steps after basis 
sifting. 
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Eve 



Figure 1.3: The Ekert91 protocol. Eve prepares a bipartite state that is ideally a 
maximally entangled two-qubit state. Alice and Bob uniformly at random 
measure in the X or Z basis. 


Ekert91 


The Ekert91 protocol [Eke91] is similar to the BB84 protocol and in 
an ideal setting is actually the same as the BB84 protocol [BBM92] . Here 
we present a slightly different version of what Ekert originally presented, 
in order to connect it with the BB84 protocol. Eve, or another untrusted 
source, prepares entangled bipartite qubit states (see Defn. 2.2.7). Ideally 
this state has the form 


l^ + > 


100 ) + | 11 ) 
V2 


(1.5) 


which is from the Bell basis (see Eq. 1.18) [NC00]. Alice gets one of the 
qubits, and Bob gets the other (see Fig. 1.3). Uniformly at random they 
each choose a basis to measure in and do the same measurement as in the 
BB84 protocol ({|0), |1)} or {|+), |-)}). 


Alice and Bob then do basis sifting, as in the BB84 protocol, followed 
by classical post-processing. 


To see how the BB84 and Ekert protocols are equivalent, notice that 
the production of the entangled state |i p + ) and a measurement on one 
of the qubits in one of the two bases {|0), 11)} or {|+),|—)} leaves the 
other qubit in one of the states from Eq. 1.3. In the BB84 protocol Al¬ 
ice chooses one of four states to send, which she could choose by doing 
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a measurement on a four-dimensional ancillary system consisting of the 
states |0), |1), |2), |3). We write Alice’s state in the BB84 protocol as: 


1 
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(1.9) 


where |0) and |1) are orthonormal states that are linear combinations of 
the basis vectors in Alice’s four-dimensional space. Therefore, if Alice pre¬ 
pares the entangled state and does a measurement on one half of it then 
it is the same as having a source that just prepares one of the states from 
Eq. 1.3. Therefore, the BB84 and Ekert91 protocols are equivalent if Alice 
or Bob prepare the entangled state \ip + ) and measure qubits. 


If Eve is preparing the bipartite states in the Ekert91 protocol, then 
she will have more power than in the BB84 protocol, since in the BB84 
protocol she can only modify the state sent from Alice to Bob. 


In an experiment it is more difficult to connect the BB84 protocol 
to the Ekert91 protocol (see Section 3.4.4). Also, the original protocol 
by Ekert was intended to be device-independent (see Section 1.2.4 for a 
description of device-independent protocols). 


BB84 Variants 

There are several variants of the BB84 protocol. Two notable exam¬ 
ples are the six-state protocol [Bru98] and SARG [SARG04] . 

The six-state protocol is an extension of the BB84 protocol from four 
states {[0), [1), |+), |—)} to six states by adding | i) := (|0) + i|l})/-/2, | -i) := 
(|0) — i11 ))/a/ 2, called the Y basis, since it is the set of eigenvectors of the 
Pauli matrix 



The six-state protocol is of interest because it was found to be more ef¬ 
ficient than the BB84 protocol [Bru98]. Also, the measurements are ex¬ 
tended to include a third basis {|i), | - i)}. Bob then chooses one of the 
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three bases uniformly at random. Alice and Bob do basis sifting after¬ 
wards, discarding any measurement/preparation pairs that are not in the 
same basis. 

The SARG protocol was introduced as an alternative to the BB84 pro¬ 
tocol to counteract an attack that Eve can apply to implementations of 
BB84 [BLMSOO, Ben92, DHH99, HIGM95], It works the same as the BB84 
protocol, except it reverses the role of the states and bases. If Alice sent a 
state in the Z basis, she writes a 0 and she sent a state in the X basis, she 
writes a 1. Bob’s string is more complicated and will be explained below. 

After the quantum stage of the protocol, Alice communicates one of 
the following four sets that contains her sent state {|0), |+)}, {|0), |—)}, 
{11), |+)}, {| 1), |—)}. Since these sets have some states in common, Alice 
will uniformly at random choose a set that is compatible with the state she 
sent. Bob can then figure out which state Alice sent with probability 1/2. 
For example, if Alice announces the set {|0), |+)} and she sent the state |+), 
then if Bob measured in the Z basis and gets outcome 11) he knows that 
Alice must have sent the state |+), and therefore writes down the bit 1. 
Similarly, if Alice had sent the state |0) and announced the same set, and if 
Bob measured in the X basis and got the outcome |—) he knows Alice must 
have sent |0) and he writes down a 0. 

Alice and Bob do basis sifting as in the BB84 protocol. If Bob gets a 
measurement outcome that is not in Alice’s announced set or that is incon¬ 
clusive (such as getting outcome |0) and the set announced is {|0),|+)}) 
then he tells Alice and they discard this measurement outcome. 

Classical post-processing follows the six-state and SARG protocols af¬ 
ter basis sifting. 


B92 


Another BB84 protocol variant is the B92 protocol [Ben92] . It differs 
from BB84 by only using two states: |0) and |+) (see Fig. 1.4). Sometimes 
two non-orthogonal states are used other than |0) and |+), but here we 
use |0) and |+) for simplicity. Also, Bob only does a single measurement; 
he does not have a basis choice. This means that the basis sifting step is 
not necessary. 

Bob’s measurement is unambiguous state discrimination [NC00] . For 
the states |0) and |+) Bob’s measurement is described by the three positive 
operator valued measure (POVM) elements (see Defn. 2.2.10) 

F 0 = -^ 7 =\-)(-\, F 1 = -^— |1)(1|, F ? = l —F 0 —Fi. (1.11) 

1 + V 2 1 + v 2 
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Alice 


Bob 



Figure 1.4: The B92 protocol. Alice randomly prepares either |0) and |1) and 
Bob does unambiguous state discrimination between these states (Eq. 1.11). Bob 
either gets outcome 0 or + to indicate which state he received or'?’ when his 
measurement is inconclusive. 


With this measurement, Bob knows that when he gets outcome 0 that 
he could not have had the state |+), since |+) and |—) are orthogonal 
((+|—) = 0). Similarly, when Bob gets outcome 1, he could not have had 
the state |0). If he gets outcome '?’ then he does not know which state 
he received. Bob will also keep track of the number of “?’ measurement 
outcomes he gets. The '?’ outcomes are important, since Eve could just do 
the same measurement as Bob before him, and always know what Bob’s 
measurement outcomes would be. However, if Eve does the same mea¬ 
surement then Bob will see a higher number of '?’ outcomes. Alice and 
Bob will abort the protocol if the number of *?’ events is beyond a certain 
threshold. 

Also, Bob reveals the positions in which he got outcome *?’ so that Al¬ 
ice knows to throw that bit of her string away. Alice and Bob then continue 
to the classical post-processing steps. 

B92 has been proven secure for single photons [TKI03, TL04] as well 
as with more sophisticated models for the states used [Koa04, TLKB09] . 

When there is loss in the quantum channel, Eve can attack the B92 
protocol by replacing the lossy channel with a lossless channel and by 
doing the same unambiguous state discrimination measurement as Bob. 
When she gets a definite outcome, she forwards the post-measurement 
state to Bob. If she gets the *?’ outcome then she does not send Bob a state. 
If the loss is high enough in the channel, then Alice and Bob will not be 
able to tell this attack apart from loss, and Eve gets full information about 
the state that Alice sent whenever Bob gets a measurement outcome. To 
avoid this attack, some have proposed that Alice send a strong reference 
pulse with each quantum state [Koa04, TLKB09]. The strong reference 
pulse is a laser pulse that has a huge number of photons and it can usually 
be considered to be a classical optical signal. Therefore, Bob is guaranteed 
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to get a strong reference pulse, even if there is high loss in the channel 
between Alice and Bob, which makes it possible for them to detect when 
Eve is doing this attack. 

Now we describe two discrete protocols that do not use qubits. These 
two protocols are distributed phase protocols because they encode infor¬ 
mation in the relative phase between pulses of light. 


Differential Phase Shift (DPS) 

One of the problems with the above qubit protocols is that they often 
require a basis choice, which needs either active elements (i.e. moving 
parts that require inputs) in the devices to choose the basis, or a device to 
do the basis choice in a passive way (without having to actively change the 
device, see Section 4.8). The DPS protocol was first proposed by [IWY02, 
IWY03] as a protocol that can be implemented simply and in a passive 
way. 


We present the simplified version of the protocol from [IWY03] in¬ 
stead of how it was original proposed [IWY02] . First, we introduce the 
notion of a coherent state, defined as 


a 



a e C, 


( 1 . 12 ) 


where | n) is a Fock state . Coherent states are a superposition of a Poisson 
distribution over the state for each number of photons. To see that this 
superposition follows a Poisson distribution, note that the probability of 
getting outcome n when doing a projective measurement of the number of 
photons is 

\a\ 2n 

PrTn photons] = |(n|a)| 2 = e - ^ 2 -, (1.13) 

n\ 

which means that the average number of photons is |a| 2 . Often in this 
context, instead of using the parameter a, the average photon number 
p := \a\ 2 is used instead (so a coherent state would be written as |yju))- 


In the protocol, Alice pulses her laser at fixed intervals to produce a 
train of pulses that each contain a coherent state (see Fig. 1.5). For each 
of the pulses she sends, she uses a secret random bit string, S, to choose 

3 The Fock state, |n), is the energy eigenstate of the quantum harmonic oscillator with 
Hamiltonian H = d T a + with creation and annihilation operators a 1 ' and a. This state 
represents the number of photons that are in a pulse from a laser. A coherent state is an 
eigenstate of the annihilation operator: a\a) = a|a). 
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Figure 1.5: The DPS protocol. Alice produces coherent states where she 
modulates their relative phase using a phase modulator (PM). She picks either 0 
or 7i to be the phase angle between the pulses. Bob measures using a 
Mach-Zehnder interferometer that measures these relative phases. 


if she will change the phase of the next pulse relative to the previous 
pulse. This phase encodes a classical string S = S a S 2 • • -S n , where S ; e {0,1} 
determines the relative phase between the pulses: 

|\F) = |e !< ^ 1 a)|e l ^ 2 a) • • • \e l< ^ n+1 a), (1-14) 

where cp i = 4> i _ 1 + n-S i _ 1 , i e {2,3,..., n + 1} and le'^'a) is a coherent state. 
This leaves the global phase, 4> 1 , as arbitrary. 

Note that |\F) cannot be written as a tensor product state such that 
each individual state only depends on one bit of S: 

\*)^ms 1 ))ms 2 ))---ms n )). a.15) 


To measure this state, Bob uses a Mach-Zehnder interferometer (see 
Fig. 1.5). The input first goes into a 50:50 beamsplitter where each end has 
a different length (see Section 4.5). The length difference is the distance 
between the pulses in Alice’s state. These paths are recombined on two 
inputs of another beamsplitter so that these paths can interfere. The result 
is that the phases of neighbouring pulses will interfere and a detector can 
be placed at each end of the second beamsplitter. Depending on which one 
clicks, Bob will know the relative phase of Alice’s pulses (either <p t - <p ,_, 
is 0 or re). See Section 4.5.5 to see how a Mach-Zehnder interferometer 
achieves this phase measurement. 

4 By phase, we mean a factor e ltf in front a quantum state. Note that while global phases 
in quantum mechanics cannot be measured (and therefore descriptions of states with a 
global phase are all equivalent descriptions), relative phases can be measured. Also note 
that the phase e' v is different from an optical phase (see Appendix A). See Section 4.7.1 
for more details on relative phases. 
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The security proof of this protocol is more challenging than for the 
qubit protocols listed earlier, since Alice’s state cannot be broken down 
into the tensor product form of Eq. 1.15. This means that there are less 
symmetries that can be exploited in order to use the same tools that work 
for qubit protocols. While there is no security proof for the way the pro¬ 
tocol is described above, there is a security proof if a single photon is 
split up into m pulses (called a block ) and then many of these indepen¬ 
dent blocks are used instead of using coherent states in a long chain of 
pulses [WTY09]. Attacks on the DPS protocol have also been analyzed 
[CTM08, GI12, MCL+12], 

Coherent One-Way (COW) 

Another protocol that does not use independent qubits, but is still dis¬ 
crete, is the coherent one-way (COW) protocol [GRZ + 04, SBG + 05]. Sim¬ 
ilarly to the DPS protocol, the COW protocol can be implemented with 
passive elements on Bob’s side and the state that Alice sends cannot be 
decomposed into a tensor product of states that only depend individually 
on one of the bits Alice is trying to send to Bob. 

The states that Alice prepares to send her uniformly random bit string, 
depending on if the bit in position i e {1,2,..., n} is 0 or 1, are 

|0i); = I a )2i-ll0)2i> 11Z.) i = |0)2i-ll a )2i> (1-16) 

where |0) is the vacuum state ’, | a) is a coherent state, and |0 L ); and 11^)^ 
denote the logical bits Alice wants to send, 0 and 1, as the ith signal. Note 
that Alice will have two pulses per bit she would like to send (see Fig. 1.6). 
Also, |0 L ) ; and 11 ^)j in Eq. 1.16 are not orthogonal, since the coherent state 
has a vacuum component. 

In order to counteract an eavesdropper, Alice also has to send some 
other states that will not be used for Alice’s and Bob’s strings, but will only 
be used to detect an eavesdropper. Alice will, with probability q prepare a 
decoy state that spans two time slots: 

|decoy) ; = |a) 2; _ 1 |a) 2i . (1.17) 

With probability 1 - q she prepares her |0 L ) or |l t ) state according to her 
starting string. 

5 Sometimes |0) is used to denote the vacuum state, which will be used in some contexts, 
such as when we write coherent states (Eq. 1.12). When there is a conflict of notation 
between the bit values to correspond to the states (where here Alice wants to send the 
logical bit 0) and the vacuum state, the logical bit will be written with the subscript 0 L . 
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Figure 1.6: The COW protocol. Alice prepares one of three states: a coherent 
state followed by the vacuum (0), the vacuum followed by a coherent state (1), 
or a decoy state that is two coherent states, one after another. Alice modulates 
the relative phase between the coherent states by using her phase modulator 
(PM). Bob randomly chooses to either measure the timing of the incoming pulses 
or uses a Mach-Zehnder interferometer to measure the relative phase of the 
incoming pulses. He may measure the relative phase between two pulses of a 
decoy state, between a 1 followed by a decoy state, between a decoy state 
followed by a 0, or between a 1 followed by a 0. 


Bob’s measurement is composed of two parts. With probability p he 
will measure if there is at least one photon in each pulse. This measure¬ 
ment will tell him if Alice was trying to send a 0 or a 1. With probability 
1 - p, he does a Mach-Zehnder interferometer measurement as in the DPS 
protocol. This interferometer can measure the relative phase between two 
sequence of states: between a neighbouring |1 £ ) followed by |0 L ) that Al¬ 
ice sent, as well as the phase between the two pulses of a decoy state. 
The measurement can also measure the phase between a decoy state that 
is preceded by |1 L ) or followed by |0 t ). It turns out to be impossible for 
Eve to coherently measure both the |0 L ) and |1 L ) states as well as keep the 
phases undisturbed for the decoy states [GRZ + 04]. As such, the interfer¬ 
ometer measurement outcomes will be used for parameter estimation to 
detect if there is an eavesdropper. 

Alice and Bob do a sifting step where Alice will tell Bob where she 
sent decoy states and he will throw away the measurement results when he 
measured those signals in his first measurement. Bob also tells Alice where 
he got measurement results in his interferometer, since these bits will be 
used for parameter estimation. They then continue with the classical post¬ 
processing steps on their classical strings. 

The COW protocol does not have a full security proof, but a vari¬ 
ant just like the DPS protocol variant [WTY09] that breaks up the proto- 
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col into blocks, with a single photon in each block, does have a security 
proof [MCL + 12], The COW protocol has been implemented experimen¬ 
tally [WBC+14]. 

1.2.3 Continuous-Variable Protocols 

Continuous-variable protocols typically use one of two kinds of states: 
coherent states, as in Eq. 1.12, and squeezed states. Squeezed states are a 
more general state than coherent states. For a description of squeezed 
states and how they can be represented in phase space, see Appendix A. 

Usually, continuous-variable protocols are variations of the same pro¬ 
tocol [Ral99, ReiOO], First, Alice prepares either a coherent state or a 
squeezed coherent state. If Alice prepares a squeezed coherent state, Bob 
does homodyne detection [HilOO] . Homodyne detection is the measure¬ 
ment of the difference in the number of photons after interfering the input 
state and a local oscillator. The local oscillator for this measurement is a 
coherent state in phase with the input state. Homodyne detection actually 
measures either theX or Y quadrature operators (see Appendix A), though 
the analysis to show this fact is beyond the scope of this thesis. 

If Alice prepares coherent states then Bob does heterodyne detection. 
This detection can be thought of as measuring both X and Y simultane¬ 
ously. Due to Heisenberg’s uncertainty relation, there is some error inher¬ 
ent in this measurement, since both X and Y are non-commuting observ¬ 
ables. Heterodyne detection is the same as homodyne detection, except 
instead of measuring photon numbers, the outputs of the beamsplitter are 
combined on a non-linear crystal (see Section 4.5). 

When Alice prepares coherent or squeezed states, she can choose dif¬ 
ferent ways to vary her choice of state. Alice chooses her states from a 
finite discrete set in discrete protocols, and here she could do the same. 
She can also vary her states by choosing the parameters for the coherent 
or squeezed states according to a Gaussian sampling. 

Continuous-variable protocols have been proven to be secure. For ex¬ 
ample, they are secure if coherent states are used and Gaussian variability 
is used to choose a [LGPRC13, Levl4]. 

1.2.4 Device-Independent Protocols 

Device-independent QKD was originally proposed by Ekert [Eke91]. 
Unlike device-dependent protocols, no assumptions should be made about 
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the devices used in the protocol. Instead, the idea is to verify that Alice and 
Bob share quantum states that have strong correlations (see Defn. 2.2.7 
and Section 3.4.5). If Alice and Bob have high correlations in their states 
then they can verify that Eve cannot have strong correlations with either 
Alice’s or Bob’s state. 

For a history of device-independent QKD security, see [W12] and 
references therein. Security proofs of these kinds of protocols typically 
had to make unreasonable assumptions about the implementation, such 
as the need for a separate measurement device for each signal or that the 
protocol has no losses. However, the recent security proof of [W12] is the 
only proof to date that avoids these problems. 


1.2.5 Measurement-Device-Independent Protocols 


Measurement-device-independent (MDI) quantum key distribution is 
a hybrid of the device-independent and the device-dependent scenario. 
The advantage of using these protocols is that they are device-independent 
on the side of the measurement, which avoids many assumptions that are 
typically necessary to prove security (see Section 4.8). MDI QKD has an¬ 
other advantage over traditional QKD protocols, since it can be performed 
over longer distances than what is typically possible [LCQ12, LPT + 13]. 

There are two discrete-variable-type protocols, one which is an entan¬ 
glement based version of the other (see Section 3.4.1), in the same way 
that the BB84 protocol is equivalent to the Ekert91 protocol in their perfect 
descriptions. 


The prepare and measure (P&M, see Section 3.4.1) protocol from 
[LCQ12] starts with Alice and Bob uniformly at random preparing a state 
from the BB84 protocol (see Fig. 1.7). Alice and Bob send these states to 
Eve, who is untrusted. Ideally, Eve does a joint measurement of Alice and 
Bob’s states in the Bell basis, a basis for two qubits {| ip + ), \ip~), \4> + ), 
defined as 


I x P + )ab 
IV ’ )ab 
I 4 >+ )ab 
1 4 1 )ab 


I00U + I11U 
V2 

|00)ns — |H )ab 

71 

I01U + I10U 

V2 

I01U-I10U 

V2 


(1.18) 
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Alice Bob 



Eve 


Figure 1.7: MDI QKD [LCQ12], Alice and Bob randomly prepare one of the 
BB84 states ({|0), 11), |+), |—)}. Eve measures these states using a measurement 
in the Bell basis (Eq. 1.18). Eve then communicates her measurement outcomes 

to Alice and Bob. 


Eve publicly announces the measurement outcome she gets to Alice and 
Bob. Alice and Bob will also announce which basis they prepared their 
states in, followed by basis sifting to ignore measurement outcomes where 
their states were prepared in different bases. Alice and Bob correspond 
bit values to their prepared states the same way as in the BB84 protocol. 
Depending on the state that Eve announces, Alice may need to flip her bit 
value. For example, if Eve reveals (f> + and Alice and Bob prepared states in 
the Z basis then Alice will flip her bit. Equivalently, Bob could flip his bit 
value instead. As another example, if Alice and Bob prepare states in the 
Z basis and Eve reveals ip + then Alice will not flip her bit value. 

Note that Eve cannot determine Alice’s and Bob’s bit values, since 
even if she knows the basis and the Bell measurement outcome, she only 
knows that Alice and Bob have the same bit value but not which bit value 
it is. 


The entanglement based MDI protocol is the same as the above, ex¬ 
cept that Alice and Bob each prepare a copy of the state |^ + ) [LPT + 13], 
Alice and Bob do a BB84 measurement on one half of this state and send 
the other half to Eve for her Bell measurement. The rest of the protocol 
follows the same steps as the P&M version. 

Both of these protocols are secure [LCQ12, LPT + 13]. MDI QKD also 
has a continuous-variable version [ZLY + 14, LZX + 14, MSJ + 14a], a unchar¬ 
acterized qubit source version [YEM + 13, YFM + 14], a version that uses 
quantum repeaters to extend the maximum possible distance of the proto¬ 
col [PR14a, PRP14, PRML14, ATM14], and a version that uses Bell/CHSH 
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inequalities [YFT + 14, ZLL + 14]. Several experiments have now been per¬ 
formed [TYC + 14]. 


1.2.6 Counterfactual QKD 


Counterfactual (CF) QKD is where the quantum states used for the 
key are prepared and measured in Alice’s lab. Bob infers the key from a 
setting of his device but he does not use measurement outcomes for his 
key The states that are sent through and measured after going through 
the quantum channel from Alice to Bob are only used for parameter es¬ 
timation. CF QKD was first introduced in [Noh09] and we describe this 
protocol here. It is related to two-way QKD protocols in its construction 
(see Section 5.2). 


Alice prepares one of two qubits: |0 L ) or |1 £ ) (see Fig. 1.8). She inputs 
these states to a 50:50 beamsplitter (see Section 4.5.3), which creates the 
state along two paths, a and b: 


|O) a ['0) b + \^P)a\°)b 
V2 


(1.19) 


where |0) is the vacuum state and \xp) e {|0 £ ), |1 £ )}. The state on path a 
is kept by Alice while the state on path b is sent to Bob. Bob uniformly 
at random uses a filtering switch that outputs |0 L ) from |1 £ ) into different 
outputs. One output of this switch is the state Bob accepts and one is the 
state he rejects. The accepted state goes to a Z-basis measurement ( D 1 in 
Fig. 1.8). The rejected state is sent back to Alice. 


Alice’s state on path a is put into a beamsplitter at the same time as 
the state from Bob is (potentially) returned on path b. If Bob rejected 
Alice’s state then the states at the beamsplitter will interfere resulting in 
the output the state \ip), which goes to the Z-basis measurement D 2 (see 
Fig. 1.8). If Bob got a measurement result then Alice’s detectors will not 
click. If Bob did not get a measurement result and the state and Alice’s and 
Bob’s state choices were the same then the state from Eq. 1.19 collapses to 

IV»>alO) b . (1-20) 

Therefore, Alice may get a measurement in detector D 1 since there is no in¬ 
terference happening at the beamsplitter. If Alice’s measurement outcome 
in Di is the same as her prepared state then she announces to Bob that she 
got a measurement outcome in D 1 but she does not reveal the outcome. 
Bob will know the outcome because it is the same as his choice of state. 
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Figure 1.8: The counterfactual QKD protocol of [Noh09]. Alice prepares one of 
two orthogonal states: |0 L ) or |1 L ). After the first beamsplitter the state will be in 
a superposition of going to path a or path b. On path b Bob will choose a 
filtering switch (SW) that will select either |0 f ) or |1 L ). The state that Bob 
accepts goes to a measurement in the {|0 t ), |1 £ )} basis at D 1 . The state that he 
rejects goes back to Alice. The state along path a is delayed so that it will arrive 
at the upper beamsplitter at the same time as Bob’s rejected state. Alice then 
measures in the {|0 £ ), |1 £ )} basis at D 2 and D 3 . 


Note that detector D 1 will click with probability 1/4 since it clicks 
when Bob chooses his state to be the same as Alice’s (which happens with 
probability 1/2) and he does not get a measurement outcome in D 3 (which 
happens with probability 1/2). This means that the fraction of measure¬ 
ment outcomes that can be used for the key is 1/4. 

Alice and Bob reveal their measurement outcomes from detectors D 2 
and D 3 , as well as Alice’s measurement outcomes when her outcome in 
did not match her prepared state. They use this information for parameter 
estimation. 

The actual Noh09 protocol is more general and uses uneven beam¬ 
splitters, though we omit this generalization here (see Section 4.5.3). 

Another CF QKD protocol has been proposed as well [SLAAZ13]. 

The efficiency of the Noh09 protocol was improved in [SW10], It is 
not yet known if these protocols are secure, though the security of the 
Noh09 protocol has been analyzed in [YLC + 10, ZWJ12, ZWT12]. Coun¬ 
terfactual QKD has also been implemented [RWWZ10, BCD + 12]. 


1.3 Outline 


In Chapter 2 we give an introduction to quantum mechanics using 
the density operator formalism as well as mathematical definitions and 
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properties used throughout the thesis. Chapter 3 discusses the security of 
QKD in detail and tools that can be used to prove security for a variety 
of protocols. Chapter 4 analyzes the different assumptions made in QKD 
and quantum cryptography and how these assumptions may be justified 
or may lead to insecurities. Chapter 5 discusses two contributions of the 
author under the framework for security and assumptions developed in 
this thesis. Chapter 6 concludes with thoughts about the future of QKD 
and quantum cryptography. 

Appendix A presents squeezed states and phase space for continuous- 
variable QKD protocols. Appendix B outlines miscellaneous mathematical 
results used throughout this thesis. 
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Chapter 2 

Preliminaries 


2.1 Introduction 


In this chapter we outline several mathematical properties and tools 
that will be used in this thesis. We also give an introduction to the density 
operator formalism of quantum mechanics. 

There are several resources available to learn quantum information 
and computation. There are lecture notes by John Watrous [Watl3], John 
Preskill [Pre98], and Renato Renner [Renl2a]. There are also several 
books, such as the most widespread quantum information and computa¬ 
tion book [NCOO] and the recent book on quantum information theory by 
Mark Wilde [Will3], The Preliminaries chapter of the PhD thesis of Marco 
Tomamichel [Toml2] has a technical introduction to quantum information 
as well. 

We start with an introduction to quantum mechanics using density 
operators instead of wave functions (Section 2.2). Next we present various 
entropies (Section 2.3) and mutual information (Section 2.4). 

Further mathematical details can be found in Appendix B. 


2.2 Quantum Mechanics 


Quantum mechanics is the physical model we use to characterize the 
quantum-cryptography protocols in this thesis. In order to prove that a 
quantum-cryptography protocol is secure, we need to be able to charac¬ 
terize what an eavesdropper or dishonest party is able to do to attack the 
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protocol. For example, a very conservative assumption in quantum key 
distribution is that an eavesdropper can do anything to the states sent be¬ 
tween Alice and Bob in the quantum channel that is allowed by quantum 
mechanics. Implicitly, by using quantum mechanics to characterize Eve’s 
attack, it is assumed that Eve cannot get any further information about 
the quantum states sent between Alice and Bob than what quantum me¬ 
chanics allows her to learn. This assumption is that quantum mechanics is 
complete, which will be discussed in further detail in Section 4.4.1. 

In addition, we assume that Alice’s and Bob’s devices are character¬ 
ized by quantum mechanics. This limits what kind of states, measure¬ 
ments, and operations Alice and Bob can perform in quantum cryptogra¬ 
phy. Since these protocols are characterized by quantum mechanics, we 
provide descriptions of what states and transformations are permissible in 
this theory. 

We assume that the reader understands the basics of quantum me¬ 
chanics, which includes Dirac notation, Hamiltonians, and the Schrodinger 
equation. Mathematically, the reader should be familiar with the basics of 
linear algebra in finite dimensions such as vectors, matrices, and eigenval¬ 
ues; as well as statistics such as random variables, expectation values, and 
probability distributions. 

We introduce the density operator formalism for quantum mechanics, 
which is useful for treating quantum mechanics from a computer science 
and information theory perspective. It provides an equivalent formula¬ 
tion of quantum mechanics as the Schrodinger or Heisenberg picture using 
Hamiltonians, wavefunctions, and the Schrodinger equation. 

Intuitively, the density operator formalism of quantum mechanics rep¬ 
resents states and the transformations of states as operators and superop¬ 
erators respectively. Instead of states as elements in a Hilbert space, they 
are operators that act on a Hilbert space. States can then be represented as 
matrices. The transformations allowed are no longer described by Hamil¬ 
tonians (or equivalently, unitaries) but superoperators: linear maps from 
operators to operators. For the purposes of this thesis we will remove 
the time component of these superoperators and instead consider that a 
Hamiltonian has acted for a predetermined time. This complete transfor¬ 
mation will then be a fixed map from operators acting on one Hilbert space 
to another set of operators acting on another Hilbert space. 

The density operator formalism is powerful: it is a mathematically 
simple way (i.e. it uses linear algebra) to represent quantum mechanics. 
This formalism also makes quantum mechanics easier to combine with 
computer science and information theory as it allows for the consideration 
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of states that are not physical (i.e. unnormalized states), which can be a 
helpful mathematical technique in quantum information theory. Unnor¬ 
malized states are then related to physical states by a renormalization. 

Ironically, it may also be useful to turn these matrices (and maps be¬ 
tween matrices) that represent states and their transformations back into 
vectors and the matrices that act on them respectively. 

2.2.1 Operators and States 

We begin by introducing operators, states, and quantum maps. This 
section is adapted from the more thorough exposition in [Toml2], First 
recall that a set of vectors in a Hilbert space \e t ) e is an orthonormal 
basis if (e ; |e ; ) = 5 i; and span{|e ; )} = . Now we define linear operators. 

Definition 2.2.1 (Linear Operators). A linear operator L is a linear map 
from Hilbert space ^ A to that takes elements of \ip) A € #€ A to #€ B : 
L\xp) A e #6 b . A linear operator can be represented as a matrix in a pair 
of orthonormal bases for #£ A and #£ B , \e t ) A and \ff) B , respectively, for i e 
[d A ],j e [ d B ], where d A and d B are the dimensions ofJ^ A and Jtfg and [d A ] := 
{1,2,..., d A }. The matrix representation for L is then given by 



( 2 . 1 ) 


so that the matrix element L i ] is given by (/ ; |L|e;). We define the set of linear 
operators that map from #£ A to #e B as #e B ) and the linear operators 

that map from to #6 (i.e. endomorphisms) as i?(^f). 

In addition, the adjoint of an operator that maps from to -¥€ n is 
denoted as L 1 and is defined via 




( 2 . 2 ) 


where * is the complex conjugate. 

One special case of linear operators are projectors. They are opera¬ 
tors, n e if’(jif’) that satisfy n 2 = IT They can be written as Jh l < £;)(0;l 
for a set of orthonormal states {|that is not necessarily complete 
(i.e. I0;)(0;l < D- 

Another special case of linear operators are the valid physical states 
on Hilbert spaces: density operators. To define these, we define a few 
different kinds of operators and the trace of an operator. 
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An operator L is Hermitian if L e !£(,¥€') and L' = L. A positive- 
semidefinite operator is a linear operator, M, that is Hermitian and that 
satisfies 

(xp\M\xp) > 0, V|(2.3) 

A positive semidefinite operator can be written as M > 0 and the set of 
all such states in a given Hilbert space is denoted as A unitary 

operator, U, is a linear operator U e jz?(J$?) that satisfies 

UU f = U f U = 1, (2.4) 

where 1 is the identity operator, which can be written as Jh |ej) (e £ | for an 
orthonormal basis {|e,)}. A more general kind of operator than a unitary 
is an isometry. An isometry satisfies U e ££{ffl A , and U'U — but 
UU f = t B does not necessarily hold. This means that the operator U maps 
from to a subspace of its full output space, 

In addition to various kinds of operators, we also need the trace func¬ 
tion. 

Definition 2.2.2 (Trace). Given an orthonormal basis {| e t )} for a Hilbert 
space .¥€ the trace of a Hermitian operator, L, is defined as 

TrL-^ejLle;). (2.5) 

i 


The trace is independent of the choice of orthonormal basis, since if 
the basis is chosen to be the eigenvectors of L then TrL is the sum of the 
eigenvalues of L. Specifically, if we write L in its eigendecomposition (also 
called the spectral decomposition) L = 2;^-;!/;)(/;I (where A, and |/ ; ) are 
the eigenvalues and eigenvectors of L respectively) then for any unitary U 
it holds that 

U^LU = Y i X i \g i )(g i \, ( 2 . 6 ) 

i 

where |g ; ) = U\fi). Note that the set of states {|g ; )} are orthonormal 
((£;l£j) = (fi\U^U\fj) = {fi\fj} = 5 t j) so A, are the eigenvalues for U'LU as 
well as L. This means that for any basis {|e ; )} there exists a unitary U such 
that |e;> = U\fi) so that TrL = ^(e^Ile*) = ^(/ilL^Lt/l/;) = 2; K which 
does not depend on the basis |e ; ) and therefore the trace does not depend 
on the basis {|e;)} used to calculate the trace. 

It is now straightforward to define quantum states in this formalism 
as density operators. 


38 



2.2 Quantum Mechanics 


Definition 2.2.3 (Density operators). A density operator, p, is defined as a 
Hermitian linear operator such that 

p e and Trp = 1. (2.7) 

The set of all density operators on a Hilbert space Pi? is written as 

As an example, there are pure states | ip) that have a corresponding 
density operator \ip){ip |, which can be represented as a rank-one matrix. 
Density operators that cannot be written as a rank-one matrix are called 
mixed. Sometimes, for mathematical convenience, we will use unnormal¬ 
ized density operators, so that p e ^(Pif) and Trp < 1. These set of 
states on a Hilbert space Pi? is denoted as S<(Pi?). While these states are 
not physical, they can be related to physical states by renormalization. If 
p e S<(Pi?) then p/Trp e S = (Pi?), which is physical. 

To describe two separate systems as a single joint system the tensor 
product is used. 

Definition 2.2.4 (Tensor product). Given two Hilbert spaces, Pi?^ and 
the tensor product, denoted by #€ A <g> P£g = is the combination of these 
two spaces together. In particular, for two independent states p A e S<(P£)0 
and p B e the global state state that describes the system is given 

by p A (8) p B . If p A is written in an orthonormal bases for its space as p A = 
Sij c ij\ e i)A( e j\> then the tensor product combines them in block matrix form 

c i,i Pb c i,2 Pb c i 4 a Pb 

c 2,iPb c 2,2 Pb c 2 4 a Pb 

C cL a ,iPb c cL a ,2Pb '' ' c d A ,d A PB 

where d A is the dimension of .¥P A . A constant times a matrix, cp, is the matrix 
p with each of its elements multiplied by c. 

With composite systems, the trace may also be taken only over one of 
the systems. 

Definition 2.2.5 (Partial trace). Given a joint quantum state p AB e S<(.7f AB ) 
and an orthonormal basis for {|e ; )}, then the partial trace over A is 
defined as 

Ti aPab = X] 0 1 b) Pab (|e;>A ® 1 B ) • (2.9) 

i 

We now define a state to be classical with respect to a quantum system 
if it can be written in the following form. 
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Definition 2.2.6 (Classical-quantum (CQ) state). A state, p e is 

a CQ state if it can be decomposed as 

Pxb = ® p B’ ( 2 -10) 

i 

for probabilities p h p l B e S<(p£g)Vi, i e [d x ], and |i) are orthogonal states 
in 

A very important set of quantum states are those that are entangled. 
They represent states that have stronger correlations than what is possi¬ 
ble with two quantum systems that are only correlated in a classical way 
(i.e. are separable, see Defn. 2.2.7). They are defined by those states that 
cannot be written in a separable form. 

Definition 2.2.7 (Separable and entangled states). Let p m e S<(p£^g), 
then is separable if it can be written in the form 

PAB = Y]PiP l A® P l B> (2- 11 ) 

i 

for some probabilities p ; and states p l A e S<(P^) and p l B e S<(P£g). A state 
that cannot be written as Eq. 2.11 is entangled. Also, a state is maximally 
entangled if it is a pure state % e S<(J^) such that the reduced density 
operators cr A := Tr^cr^g) and a B = Tr^cr^g) are maximally mixed and equal 
to 1/d, where d is the dimension of #C A or respectively. 

Lastly, an important equivalence between mixed states and pure states 
is purification. Given a mixed state p A e S<(J^) a purification of p A is a 
pure state € P^g such that Trg(|'T)('I , |) = p A . In addition, for all 

p A there exists a system B and a pure state such that the dimension 
of B is at most the dimension of A and is a purification of p A . If 

the spectral decomposition of p A is written as 2; 2-; 10 (i I then one such 
purification can be written as 

SAIOaIOb- (2.12) 

i 

All purifications of p A are equivalent up to an isometry on the purifying 
system, B. 

2.2.2 Quantum Maps 

Now that we have defined states, we can also define the way in which 
states can be transformed. All possible quantum transformations are cap¬ 
tured by completely-positive trace-preserving maps. 
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Definition 2.2.8 (Completely-positive trace-preserving (CPTP) maps). A 
completely-positive trace-preserving (CPTP) map is a superoperator. Super¬ 
operators map linear operators in S8(J^ A ) to linear operators in A 

superoperator, 8, is trace-preserving if 

Tng’(L) = TrL, VL e i?(.3^). (2.13) 

A super operator is completely positive if 

8 ® id(L) > 0, VL &S?('tf AC ),'Ue c (2.14) 

where #€ c is an auxiliary Hilbert space and id is the identity superoperator 

id (M) = M, VMey(^ c ). (2.15) 

In addition, a map is called positive if its output is a positive operator. 

In order to represent a CPTP map in a concrete way, there are several 
options. The typical one is the Kraus-operator representation. 

Lemma 2.2.9 (Kraus-operator representation). Any CPTP map 8 can be 
represented as a set of linear operators A ; that satisfy ^AjA; = 1 (called 
Kraus operators) so that 8 maps states p A e S = (88 A ) to S = (88 B ) by 

<?(Pa) = 1]^Pa4- (2-16) 

i 


A particular kind of CPTP map is a measurement, where a quantum 
system is mapped to a classical one. Measurements can be put into two 
frameworks that are equivalent. These frameworks are projective mea¬ 
surements and positive operator valued measures (POVMs). These are 
equivalent because a POVM can be seen as projective measurement on a 
larger Hilbert space. POVMs will be the only framework for measurements 
we need for this thesis, so we introduce them here. For more information 
on the relation between projective measurements and POVMs, see [NC00]. 

Now we define POVM measurements. 

Definition 2.2.10 (Quantum measurements). A POVM is a set of linear 
operators {F ; } (each operator F, is called a POVM element) that are positive 
semidefinite F ; e that satisfy ^ li F i = 1 - A measurement is defined 

with a POVM, where the measurement has classical outcomes i. Given a 
state p e that is measured using the POVM {F ; } the probability of 

getting outcome i is Tr(F ; p). The post-measurement state for an input p e 
S<(PS?) is given by ^fTr(F;p)|i)(i|. Measuring in a basis corresponds 

to measuring the POVM {\ipi)(ipi\}. 
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There are two properties of quantum maps that are both conceptually 
striking and incredibly useful. The first, the Stinespring dilation, is a corre¬ 
spondence between CPTP maps and unitaries. Essentially, any CPTP map 
can be considered as a unitary on a higher dimensional space. The sec¬ 
ond, the Choi-Jamiolkowski isomorphism, is a mapping from CPTP maps 
to quantum states. 

One problem with the Kraus representation of CPTP maps is that the 
set of operators {A ; } that describe it are not unique! Kraus operators are 
not unique because if a set of operators represent a CPTP map, then 
so do Q := UA h where U is a unitary. To see that this is the case, note that 

Si cJCi = = zA A i = 1 and 

Z C iPA = Z UA iPA U ' = (2.17) 

i i 

The unitary applied to the last term is just a change of basis for the system 
in S = (J^ B ) and therefore does not change the outcomes of the map S. 

The lack of uniqueness for the Kraus operator representation makes 
it unideal for the analysis of some quantum information tasks (see Sec¬ 
tion 4.8.1) and so we use the Choi-Jamiolkowski representation. The Choi- 
Jamiolkowski (CJ) representation for quantum maps can be constructed 
from the Choi-Jamiolkowski isomorphism, which is a linear transforma¬ 
tion that is an isomorphism (i.e. a transformation with an inverse) from 
CPTP maps to quantum states. The CJ isomorphism as presented here is 
not as general as it can be, since it can also apply to linear maps in gen¬ 
eral and not just ones that map positive semidefinite operators. However, 
here we state the CJ isomorphism only for the correspondence between 
quantum maps and quantum states. 

Theorem 2.2.11 (Choi-Jamiolkowski (CJ) isomorphism [Jam72, Cho75]). 
Given a CPTP map S that maps states in S<(Jif A ) to states in where 

.¥€ a and have dimensions d A and d B respectively, then the CJ map is given 

by 

t : <? —> S = <f <8> id(l'T) ('T|), (2.18) 

d 2 

where |^) = 1/^2;=! \ e i)A®\ e i)rt> A> ^ an auxiliary space thathas thesame 
dimension as A, and {|e ; )} is an orthonormal basis for #e A and S is called 
the Choi-Jamiolkowski (CJ) matrix or CJ state. 

The CJ matrix S is therefore a d A d B x d A d B sized matrix. Note that 
since S is completely positive, it is clear that S > 0. The way that the 
output of the map can be represented using S is by 

Pa) = Tr A' (is ® pj, 2) , (2.19) 
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where A! is a system of the same dimension as A, p A > is the same as p A but 
is in S<(J^) instead of S<(P£^), and p^ is the transpose of p A with respect 
to an orthonormal basis |e ; ), defined here. 

Definition 2.2.12 (Transpose). Given a state p A e and an orthonor¬ 

mal basis {[e,)}/or .¥€ A then the transpose with respect to this basis is defined 
as 

Pa : =X|( e ;IPAlei)|e i )(e J |. (2.20) 

hi 


We can use Eq. 2.19 to see what the trace-preserving property of § 
implies for the CJ matrix: 

Tr(p A ) = Tr(<?(p A )) = Tr A (pjTr B (S)). (2.21) 

Since Eq. 2.21 has to hold for all possible p A e S<(P^) then it holds that 

Tr B (S) = t A . (2.22) 


For more information about the CJ isomorphism, see [FSW07], Exer¬ 
cise 8 at [Renl2a], and the lecture notes mentioned at the beginning of 
this chapter. The CJ map has a concrete connection to the Kraus-operator 
representation. To define this connection, we introduce a notation found 
in [FSW07] as a representation of operators as vectors. 

Definition 2.2.13 (Vector representation [FSW07]). Given a linear opera¬ 
tor L € that has a matrix representation from Eq. 2.1 where we 

define c i} = (/j|L|e;),, then the vector representation of L is defined as 

(2-23) 

O' 


A ket is used here to show that L is represented as a vector but the 
double bracket is included to show that L is an operator. 

Using this notation, we can represent the CJ matrix S in terms of the 
Kraus operators A { as [FSW07] 


2 = 2><»((AI- (2-24) 

i 

This means that the eigenvectors of the CJ matrix are the Kraus operators 
represented as vectors! Given a matrix, S, its decomposition into a set 
of vectors | Aj)} in Eq. 2.24 is not necessarily unique. The decomposition, 
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Eq. 2.24, therefore implies that the Kraus operators are not unique. In 
addition, this relation is a way to find one representation from the other. 
Given the Kraus operators and by turning them into vectors, the CJ matrix 
can be found. If the CJ matrix is known, find its eigenvectors, and a set of 
Kraus operators to represent the same map can be found as well. 

In addition to the CJ isomorphism, there is another representation 
that is closely related, which explicitly shows the linear nature of CPTP 
maps. 

Definition 2.2.14 (Normal representation [Watl3]). Given a CJ matrix 
representation, S, of a CPTP map, 8, and orthonormal bases for the input and 
output Hilbert spaces of 8, {|e f )} and {\ff)}, then the Normal representation 
is defined as the matrix 

S R = I>l(/,-|S| efc )|/;) \ei)\e k )(fjm. (2.25) 

ijkl 


This representation is useful because of the way it acts on states. In¬ 
stead of as in the CJ representation, Eq. 2.19, a CPTP map acts as 

|<?(p A )» = S R |p A )). (2.26) 

This makes the linearity of CPTP maps clear: it is a matrix acting on an 
input vector. For complete positivity, it is easier to use the CJ representa¬ 
tion, i.e. S > 0. The trace-preserving property, however, can be written as 
«1|S R |1» = 1. 

As is known from traditional quantum mechanics, all quantum maps 
can be represented as unitaries. In the CPTP map framework, this unitary 
representation comes from the Stinespring dilation. 

Theorem 2.2.15 (Stinespring dilation). Given a CPTP map 8 from S = (j 8 a ) 
to S = (pS? b ), this map can be represented as an isometry, U iso , from -88 A to J8 BR 
followed by a partial trace over an ancillary system, R, 

8( Pa ) = Tt R (.U iso p A uJ SQ ). (2.27) 

Moreover, if the input space is extended to include another input system Jf 
in a fixed state p 0 , then the CPTP map can be represented as a unitary, U, 
mapping AA' to BR: 

(8 8> id)(p A 8> p 0 ) = Tr R (U p A 8) p 0 C T ). (2.28) 
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This relation, along with the representations above allow us to go be¬ 
tween various forms of CPTP maps. They can be represented as isometries, 
unitaries, matrices, or a set of (Kraus) operators. Some have important ad¬ 
vantages, such as that CJ matrices are unique, the Natural representation 
matrix can be applied in a simple way to states, and unitaries and isome¬ 
tries have particular properties (such as invertibility) that can be exploited. 


2.3 Entropies 


Entropy is a mathematical tool to quantify an amount of uncertainty. 
Conversely, entropy can also be used to quantify the amount of information 
contained in a physical system. The quantity typically used for this purpose 
is the Shannon or von Neumann entropy. The former applies to classical 
systems while the latter applies to quantum systems. Historically, the idea 
of entropy originated from thermodynamics and then later entropy was 
defined for information theory. 

The Shannon and von Neumann entropy have been used in many ar¬ 
eas of science. They apply to the situation where a process is repeated 
many times in exactly the same way. This is called the independent and 
identically distributed (i.i.d.) scenario. Because of this repetition and inde¬ 
pendence, the Shannon and von Neumann entropies actually characterize 
the average uncertainty in the system over these repetitions. 

It can be useful to characterize uncertainty for a single process with¬ 
out any repetitions. This is called the one-shot scenario. In this case, there 
are classical and quantum generalizations of the Shannon and von Neu¬ 
mann entropies, which we call one-shot entropies. Before discussing these 
one-shot entropies we derive the Shannon entropy [Sha48] from some ba¬ 
sic axioms and define the von Neumann entropy [vN55]. 


2.3.1 I.I.D. Entropy 

Uncertainty is such a useful concept, and so widely used, that we de¬ 
rive entropy from a set of intuitive axioms here to give a motivation for the 
definition that is used. We would like any good quantifier of uncertainty 
to satisfy the following intuitive properties. 

1. Uncertainty should only depend on the probabilities of a random 
variable, not its values. 
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2. Uncertainty should increase monotonically in the number of out¬ 
comes of an experiment if all of the outcomes are equiprobable. 

3. Uncertainty is additive. If two systems are independent then the 
uncertainty of both systems together should be the sum of the uncer¬ 
tainties of each system by itself. 

4. Uncertainty should be a continuous function of the probabilities of a 
random variable. 

The first property means that, for example, the only thing uncertainty 
should depend on should be the probability that it rains, and not the fact 
that the value associated to that probability is “raining.” 

The second property means that uncertainty should increase if there 
are more possible outcomes. For example, an equally balanced six-sided 
die has less uncertainty than an equally-balanced ten-sided die, just from 
the fact that there are more possible outcomes for the latter die roll. 

The third property means that, for example, the uncertainty about the 
weather tomorrow and the uncertainty about the outcome of rolling a six- 
sided die should just be the addition of their individual uncertainties. This 
property could be changed to use another “combining” operation instead 
of addition (such as multiplication), though this choice can lead to strange 
behaviour of the uncertainty. For example, if it is very likely that it rains 
tomorrow and very unlikely that the number on a die rolls a 6 then the 
total uncertainty for both events, using multiplication, may be small, while 
the additive uncertainty would be large. 

The fourth property means that if the probability of an event changes 
slightly, the difference in the uncertainty should be bounded by a small 
constant dependent on the change in the probability. This property avoids 
strange behaviour of the uncertainty as a function of the probabilities. 

If we take these properties to be axioms for our quantity, then we 
necessarily reach the following unique definition (up to a constant factor). 
The following proof is based on the original by Shannon [Sha48] and Ex¬ 
ercise 11.2 in [NCOO], Another proof can be found in [Pre98], 

Theorem 2.3.1 (Shannon Entropy). A measure of uncertainty, called en¬ 
tropy, of a random variable X with values x t , i = {1,2,..., n} and probabili¬ 
ties Pi that satisfy the above axioms must necessarily have the form 


n 



(2.29) 


;=i 


where c is a positive constant. 
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Proof. Let A(fc) be a function of uncertainty of a random variable X, where 
all of the probabilities are equal: p, = l//c. By axiom (1) we know that the 
function A can only depend on k. 


Now consider a random variable Y with s m outcomes, where s and m 
are integers, and all probabilities are equal to l/s m . We can also construct 
a similar random variable Z with t n outcomes, where t and n are integers, 
and all probabilities are equal to l/t n . Then we can always find an n and 
m such that 

s m <t n <s m+1 . (2.30) 

Taking the logarithm and dividing by n log s gives 


m log t m 
— < < — 
n logs n 


1 

n 


m 

n 


log t < 1 

logs — n 


(2.31) 


Note that n and m can be chosen arbitrarily large and the equation is still 
satisfied. From axiom (2) we can apply the function A to Eq. 2.30: 


A(s m ) < A(t n ) < A(s m+1 ). 


(2.32) 


Note that the random variable Y is equivalent to considering m different 
choices and then s choices with equal probability (and similarly for Z). By 
the additivity axiom (3), this means that we can write Eq. 2.32 as 


mA(s) < nA(t) < (m + l)A(s). 


Dividing by nA(s) and using Eq. 2.31 gives 


m A(t) m 
— < —— < — 
n A(s) n 



m 

A(t) 


n 

A(s) 

A(t) 

logt 

A(s) 

logs 


(2.33) 


(2.34) 

(2.35) 


Since n can be made arbitrarily large, it implies that A(t) = clogt, where 
c is a constant. By the monotonicity axiom (2), the constant c must be 
positive. 


Now consider a random variable W with n outcomes and probabilities 
Pi = Nj/^jiVi, where N t are integers (see Fig. 2.1). Let each of the N t be 
associated with iV ; objects. Assume we do an experiment whose outcomes 

1 Note that the difference s m+1 — s m can be made arbitrarily large by increasing m since 
A ^m+i _ s m ) = m s m ~ 1 (s — 1) > 0. Another way to see this increasing difference is that 

s =s > so the gap between s m and s m+1 grows by a factor of s by increasing m by 1. 
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are described by W. We can consider getting outcome i with probabil¬ 
ity Pi and then uniformly at random picking one of the N l objects. The 
uncertainty about which object we get is then given by 

H(p 1 ,...,p n ) + ^Pi c log(N i ), (2.36) 

i 

where H(p 1} ... ,p n ) is the uncertainty in getting outcome i from W and the 
second term is the uncertainty of uniformly picking the iV ; objects. 

Equivalently, we can consider getting one of the N; objects with 
equal probability. The uncertainty in this case is clog(^hlVj). From axiom 
(3) these uncertainties should be the same: 

- X! p i clo Si N i) + H (Pi, ■■■,?„) (2.37) 

i 

H(p 1 ,...,p n ) = c (&log(^-2p ; log (^ N i 

=-c^Pilogp;, (2.38) 

i 

where we use axiom (1) to write H as a function of just the probabilities. 
Axiom (4) implies that Eq. 2.38 holds even for probability distributions dif¬ 
ferent than W but that are close to W. A similar argument can be made to 
argue that Eq. 2.38 holds for all random variables [Sha48, Pre98, NCOO], 
The constant c is taken to be 1 for convenience. □ 

Note that in this derivation we took n to be very large (i.e. in the 
limit as n goes to infinity), n characterized the number of independent 
repetitions of the random variable Z. Therefore, the Shannon entropy 
only applies to the identical and independent distribution (i.i.d.) limit. 

A specific case of the Shannon entropy is for a single bit. 

Definition 2.3.2 (Binary entropy). Given a random variable X for a single 
bit, with probability p = Pr[X = 0], then 

H(X) = h(p) = p logp (1 p)log(l -p). (2.39) 





The quantum analogue of the Shannon entropy, called the von Neu¬ 
mann entropy, takes the eigenvalues of a density operator as probabilities 
and inputs them into the Shannon entropy. The von Neumann entropy 
can be thought of as the uncertainty in the outcomes from measuring a 
quantum state in its eigenbasis. 
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> 2 >. 


i =1 


71 


Figure 2.1: The random variable W. Either one of the ^" =1 TV, items is chosen 
uniformly at random and associated to its group N { or item i is chosen with 
probability p { =NJ N. 

Definition 2.3.3 (von Neumann Entropy). Let p A e S<(Jif A ) then the von 
Neumann entropy is defined as 


H(A) p := -Tr(plogp). 


(2.40) 


A function acting on a state is defined as the function acting on the state’s 
eigenvalues in the state’s spectral decomposition. For example if p has spec¬ 
tral decomposition p = then logp = ^hlog(A;)|i)(i|. The von 

Neumann entropy of p can then be written as 



(2.41) 


Definition 2.3.4 (Conditional von Neumann Entropy). Let p AB e S<(Pi^g). 
Then the conditional von Neumann entropy is defined as 


H(A\B) p := H(AB) p —H(B) p . 


(2.42) 


The conditional Shannon entropy can be defined in the same way as 
the von Neumann entropy. The conditional entropy can be interpreted as 
the amount that the uncertainty changes for the system A upon learning B. 

The subscript on the entropy will be dropped if it is clear from the 
context which state the entropy refers to (i.e. H(A ) = H(A) fl ). 
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A fundamental property of the von Neumann entropy is the data- 
processing inequality 

Theorem 2.3.5 (Data-Processing Inequality (DPI)). Let p^ c e S<(J^ C ). 
Then 

H(A\BC) p < H(A\B) p . (2.43) 

The data-processing inequality means that the uncertainty about a 
system A cannot decrease if another system C is lost. This inequality ac¬ 
tually implies something stronger: that the uncertainty of A cannot de¬ 
crease under any CPTP map acting on the conditioning system. Since the 
Stinespring dilation (Thereom 2.2.15) can represent any CPTP map as a 
unitary followed by a partial trace. Since the entropy is invariant under 
unitaries (since unitaries do not change the eigenvalues of a state) and the 
DPI shows that the uncertainty does not decrease under a partial trace, 
then for any CPTP map from a system B to D the uncertainty on A cannot 
decrease: 

H(A\B) < H(A|D). (2.44) 

The proof of the data-processing inequality is surprisingly non-trivial 
and it will be discussed in Section 5.3. However, if one-shot entropies are 
considered instead (Section 2.3.2) then the data-processing inequality is 
straightforwardly proven (Theorem 5.3.1). 

The data-processing inequality is related to another property called 
strong subadditivity. Given a state p^c e then strong subaddi¬ 

tivity is 

H(ABC)+H(B)<H(AB)+H(BC ). (2.45) 

It is clear from the definition of the conditional von Neumann entropy and 
Shannon entropy that Eq. 2.45 is equivalent to Eq. 2.43 for the Shannon 
and von Neumann entropies. 

Note that all good entropy measures should satisfy the DPI, otherwise 
they may decrease under CPTP maps (meaning arbitrary information may 
be gained by just applying maps to an isolated system). However, the same 
is not true for strong subadditivity. The min- and max-entropy in the next 
section are examples of entropies that satisfy the DPI but do not satisfy 
strong subadditivity. 

Another important property of the von Neumann entropy is for pure 
states pm e S = (j£)ib): H(A) = H(£). To prove this property, we use 
the Schmidt decomposition, which enables any pure state to be written 
as |'E)^ b = Jh ctjI't/’j)|<^>j), where and {|</) ; }} are orthonormal bases 
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for #€ A and #€ B respectively. The reduced states on A and B are then 
Pa = Tr B |'T)('T| = l«il 2 l'0i)('0il and P B = Tr A |'F)('I'| = I«il 2 l0i)(0il= 

which means that p A and p B have the same eigenvalues. Since the entropy 
is only a function of the eigenvalues of the state, then clearly H(A) = H(B). 


2.3.2 One-Shot Entropies 

As mentioned previously, the Shannon and von Neumann entropies 
apply in the i.i.d. scenario where an experiment is repeated independently 
and infinitely many times. For the one-shot scenario there are two impor¬ 
tant entropies, the min- and max-entropy, which we call one-shot entropies. 
They come from a family of entropies called Renyi entropies [Ren61]. It 
turns out that all of Renyi entropies are approximately equivalent to the 
(smooth) min- and max-entropy, so that they characterize all of the Renyi 
entropies [Toml2]. We will not use these entropies in this thesis, and 
therefore we only discuss these two representative ones. Also, we only 
include their quantum definitions; their classical counterparts are defined 
similarly. For an in-depth discussion of one-shot entropies, see [Toml2], 

Definition 2.3.6 (Min-Entropy). Let p m e then the conditional 

min-entropy is defined as 

H mm (A\B) '■= max sup{A e R : p^ < 2 _A 1 A <g> cr B }. (2.46) 

<7, r r..s. {.#„) ; 


The min-entropy of a classical-quantum (CQ) state p XB can be inter¬ 
preted as the amount of independent number of bits that can be distilled 
from A so that the quantum system B does not have any information about 
the system X [Ren05, KRS09] . This is the task of randomness extraction. 
For more details on how this task can be used in cryptography, see Sec¬ 
tion 3.3.1. 

Another interpretation of the conditional min-entropy of a CQ state 
p XB is as a guessing probability [KRS09] . If the quantum system B under¬ 
goes the optimal measurement to try to predict the value of X given access 
to the system B, then the probability of guessing X correctly is given by 

2 —H min (X|B)_ 


Definition 2.3.7 (Max-Entropy). Let p m e S<(J^) then the conditional 
max-entropy is defined as 


H max(A\B):= max log 

a B e S< (Jtg) 


•J Pab\[ 1 / 


1 (Jr. 


2 

1 ’ 


(2.47) 
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Figure 2.2: State merging. Alice and Bob share a state that is purified with 
system C. Alice wants to send p A to Bob by communicating through the classical 
channel and by using entanglement shared with him. 


The max-entropy characterizes the amount of entanglement required 
for a task called state merging [Ber09] . State merging is when there is a 
tripartite pure state p^c e S = (j£^b C ), where Alice and Bob hold systems 
A and B respectively, and Alice wants to send her state to Bob by only 
using classical communication (see Fig. 2.2). If Alice and Bob share certain 
entangled states they can use a protocol called teleportation that transfers a 
quantum state by only using entangled states and classical communication 
[BBC + 93] . The amount of entanglement required for this task can then be 
quantified by the max-entropy. 

Given a CQ state, p XB , another interpretation of the max-entropy is 
the size of the system that X can be compressed to, such that given access 
to the quantum system B, X can be recovered [RR12], 

The min- and max-entropy also characterize other protocols such as 
channel coding: the task of trying to reliably send messages through a 
noisy channel [KRS09, Toml2], 

One problem with the above definitions is that they do not tolerate 
any errors in the tasks they characterize. To allow for an error probabil¬ 
ity, we define smooth versions of these quantities. These smooth defini¬ 
tions will also be continuous in the quantum state, while the non-smooth 
definitions are not continuous [Toml2]. We use the purified distance 
(Defn. B.3.7) for our sense of closeness for the definition of the smooth 
min- and max-entropy. To specify a region of close states around a fixed 
state, we define a ball. 
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Definition 2.3.8 (e-Ball). Let p e S<(PS?) then an e-Ball around the state p 
is defined as the set 

&\p) ■■= ip' ■ P' e S<(^),P(p,pO < e}. (2.48) 


We can now define smooth entropies as optimizing the min- and max- 
entropy over a ball of states that are close to the state of interest. 

Definition 2.3.9 (Smooth Entropies). Let p^ e S<(^5 \b) then the smooth 
conditional min- and max-entropy are defined as 

H min04l B ) : = , ma * H min (A|sy (2.49) 

‘ p'sSSRp) 

H LM B y~ min H max (A\B) p ,. (2.50) 

p'sSSRp) 


There are many properties of the min- and max-entropy which may 
be useful [Toml2], however for this thesis we will only need a duality of 
these entropies [TCR10], an uncertainty relation they obey [TR11], and 
a special case that relates these entropies to the von Neumann entropy 
[TCR09]. 

Theorem 2.3.10 (Duality of min- and max-entropy [TCR10]). Given a 
pure state p^c e S<(P^ C ) and e > 0 then 

= (2.51) 

Theorem 2.3.11 (Uncertainty relation for min- and max-entropy [TR11]). 
Let P/tfsc e S<(^g C ), e > 0, and define two POVMs F and G described by 
POVM elements {F x } and {G z } acting on system A giving outcomes X and Z, 
then 

«ri„( X IC) + H^(Z|B)>logi, (2 .52) 

where c = max IjZ || \[f~ x \[g' z \\ 2 00 is the overlap between the measurements F 
and G. 

This uncertainty relation can be used for cryptography, since it puts a 
lower bound on the entropy of Alice’s measured state X conditioned on an 
adversary’s quantum system. We would like this entropy to be high, which 
happens when the entropy of Alice’s other measurement outcome Z con¬ 
ditioned on another system that Bob controls, B, is low. See Section 3.4.2 
for how this uncertainty relation can be related to cryptography. 
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Theorem 2.3.12 (Quantum Asymptotic Equipartition Property [TCR09]). 
Let Pm e S = (J^ib)- Then 

]|!” ton = H(m p . (2.53) 

This means that in the limit of having an i.i.d. quantum state the min- 
and max-entropy approach the von Neumann entropy. Therefore, the min- 
and max-entropy are generalizations of the von Neumann entropy to the 
one-shot scenario. 

2.4 Mutual Information 


The mutual information quantifies the amount of correlations be¬ 
tween two systems. Like entropy, it is a useful quantity in various contexts. 
We define mutual information using entropy. 

Definition 2.4.1 (Mutual Information). Let p^g e then the mutual 

information is defined as 

I(A : B) := JT(A) - H(A\B) = H(B)-H(B\A ). (2.54) 

For classical systems the Shannon entropy can be used in the definition in¬ 
stead. 

The classical mutual information quantifies the amount of informa¬ 
tion that can be sent through a channel per bit (called the channel capac¬ 
ity) [Sha48]. In general, the mutual information quantifies the correla¬ 
tions between the systems A and B. 

There is also a conditional mutual information, defined similarly to 
the conditional von Neumann entropy. 

Definition 2.4.2 (Conditional Mutual Information). Let p^ c e S<(J^g C ) 
then the conditional mutual information is defined as 

I(A:B\C):=H(A\C)-H(A\BC). (2.55) 

The conditional and non-conditional mutual information also apply 
to the i.i.d. setting and recent efforts have tried to generalize these quan¬ 
tities to the one-shot scenario [CBR14, BSW14]. It is not yet clear if these 
definitions are good generalizations since they have limited operational 
meaning. However, they satisfy many mathematical properties that are 
required of generalizations, such as the QAEP, DPI, and generalizations of 
properties of the von Neumann entropy. 
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Chapter 3 

Security Proofs 

3.1 Introduction 


Security in quantum cryptography uses several ideas from physics, 
information theory, and computer science. Here we deconstruct the notion 
of security for quantum key distribution (QKD) into its component parts 
and detail the steps required to make a proof. We discuss general methods 
that can be used to prove security. Other quantum-cryptography security 
proofs also use some of the same tools presented here. 

For some QKD protocols, security can be thought of as stemming from 
the fact that non-orthogonal quantum states cannot be perfectly distin¬ 
guished, such as |0) and |+) from the BB84 protocol. This means that if an 
eavesdropper, Eve, tries to distinguish them, she will introduce errors that 
Alice and Bob can detect. Either Alice and Bob can see that Eve has tam¬ 
pered with the quantum states and abort the protocol or Eve’s interference 
is low enough that Alice and Bob can both correct any errors they have 
and remove any possible information Eve may have about their strings. 

For QKD protocols that use entanglement, security can be thought of 
as coming from the monogamy of entanglement: If Alice and Bob share a 
maximally entangled state, then necessarily Eve cannot have any correla¬ 
tions with Alice or Bob. As long as they can verify that they indeed share 
highly entangled states (i.e. states that are close to maximally entangled 
under some measure) then they can also correct errors and remove any 
information that Eve has about their measurements or abort if they see 
that they do not have enough entanglement. 

Yet another way to see how QKD could be secure is via the no-cloning 
principle. Given an unknown quantum state p there is no CPTP map that 
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copies p: <?(p) = p®p. To see how cloning quantum states is not possible, 
assume that there did exist such a map. Consider the input states |0) 
and |1). These get turned into |00) and 111) respectively by the cloning 
map S. By linearity, this implies that (|0) + [l})//2 should be mapped to 
(|00) + |11 ))/a/ 2. However, if we apply the map directly to (|0) + |1 ))/a/ 2 
we get CIO) + |1))(|0) + |l))/2 / (|00) + |ll))/v^2, which is a contradiction 
with our assumption that such a map existed. So as long as there is some 
uncertainty in what the state is (from Eve’s perspective) then she cannot 
make (perfect) copies of the states sent through the quantum channel. 

As discussed in Chapter 1, security of a QKD protocol is proven for a 
model. A model is a description of the protocol that includes a series of 
instructions for Alice and Bob to perform the protocol. Models include a 
characterization of and assumptions about the devices used in the proto¬ 
col, such as sources, measurements, and Eve’s attack. While in Chapter 1 
the security of various protocols was mentioned, these were only meant 
as a statement of whether these protocols are secure in principle, i.e. for 
at least one model of the protocol. It is an entirely different challenge to 
prove that a practical model of a protocol is secure. 

In this chapter we will discuss general tools without going into the 
details of how to prove security for practical models. The connection to 
security for practical models will be discussed in Chapter 4. Also, we will 
focus on finite-dimensional Hilbert spaces and therefore discrete QKD pro¬ 
tocols. We will also discuss continuous-variable and device-independent 
security, but to a lesser extent. This focus is mainly due to the fact that 
there are some general tools for discrete protocols that work for a variety 
of protocols, while the current proofs for non-discrete protocols are usually 
more specialized. 

First, we define security in a precise way (Section 3.2). Then we dis¬ 
cuss the classical post-processing steps used in QKD and how the results 
from these other fields can be used to help reduce the security definition 
to a different kind of problem (Section 3.3). Lastly, we show several meth¬ 
ods that are used to prove security by using several reduction techniques 
(Section 3.4). 


3.2 Security Definition 


Before we describe how to prove security, it is important to define 
what we mean by security so we know what we actually want to prove in 
the first place! Intuitively we want to make sure that Alice and Bob share a 
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key that no eavesdropper has any information about. This definition is too 
strong as we can only achieve approximate security, but approximate se¬ 
curity is adequate for practical purposes. More precisely, we want that an 
eavesdropper knows nothing about the key Alice and Bob have with very 
high probability (secrecy). Also, we need to be sure that the protocol gen¬ 
erates the same strings for Alice and Bob in the presence of an adversary 
(correctness). Lastly, we need to ensure that the protocol succeeds with 
high enough probability when there is no eavesdropper but some noise is 
present (robustness). 1 

Note that we need all three of these conditions (secrecy, correctness, 
and robustness) to hold simultaneously, otherwise some protocols would 
be considered secure that are either not useful or do not fit with our intu¬ 
itive notion of security. Consider the following three examples. 

If a protocol is secret and correct then we consider it secure but it is 
not robust. In this case we would allow a protocol that always aborts to 
be considered secure. While this situation may fit in with the notion of 
security, these kinds of protocols are not useful, so we will also require a 
certain level of robustness. 

If a protocol is correct and robust but not secret, then Eve may have 
some information about Alice and Bob’s key. This protocol is clearly not 
secure! 

Finally, if a protocol is secret and robust but not correct, then Alice 
and Bob may have secret keys but they are not the same, which defeats 
the purpose of what QKD is trying to achieve. 

In addition to secrecy, correctness, and robustness, we also want to 
make sure that we can compose a QKD protocol with other protocols. For 
example, we could use a key from QKD for the one-time pad encryption to 
send a secure classical message. Then we want to make sure that even if 
Eve keeps whatever knowledge she has from the QKD protocol in a quan¬ 
tum memory she cannot find out any information about the key no matter 
what other protocols come afterwards. This notion is called composable 
security. We will discuss how our definition of security ensures that QKD 
is composable (Section 3.2.4). 

We now discuss three models of what Eve can and cannot do, since 
security can be proven under each of these models. 

Tn computer science the definitions of correctness and robustness are typically different 
than what is presented here. 
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3.2.1 Eve’s Attacks 

There are three different classes of attacks for Eve that are considered 
in the literature. In increasing order of power given to Eve, they are: 
individual attacks, collective attacks, and coherent attacks. The first two 
attack strategies are considered in order to simplify the analysis, while the 
third strategy is the most general attack allowed by quantum mechanics. 
When facing the daunting task of proving security for a QKD protocol a first 
attempt may be made to prove security against individual attacks before 
moving on to proving full security under coherent attacks. Also, when a 
new QKD protocol is proposed it can be helpful to consider some simple 
individual attacks to see if the protocol is secure at all or if Eve can learn 
information without introducing a disturbance in the quantum states sent 
between Alice and Bob. 

Individual attacks are the least powerful for Eve: Eve attacks each sig¬ 
nal as it is sent from Alice to Bob in the same way (i.e. individually). Her 
attack consists of a quantum operation on each signal with some CPTP 
map jointly with some systems of her own. After her CPTP map, Eve is 
required to measure her systems, but there is a discrepancy in the litera¬ 
ture about which point Eve has to perform this measurement [SBPC + 08]. 
Some say that this measurement happens after each signal is sent, which 
corresponds to the situation where Eve does not have a quantum mem¬ 
ory, while others say that Eve measures at the time after all the classical 
post-processing is finished except for privacy amplification. 

Collective attacks are when Eve attacks the signals independently as 
with individual attacks but keeps her own systems in a quantum state and 
does not have to measure them. 

Coherent attacks are the most general: Eve is allowed to do any attack 
allowed by quantum mechanics to the quantum systems sent between Alice 
and Bob. 

Many security proof methods only prove security against collective at¬ 
tacks. However, there are mathematical tools that can be used to general¬ 
ize these proofs to prove that a protocol is secure against coherent attacks 
such as the de Finetti theorem for quantum states or the post-selection 
technique (see Section 3.4.3). 

Before giving a definition of security, we have a historical note on 
what security used to mean in the QKD community. 
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3.2.2 Historical Definition 

Intuitively, security in the context of QKD is to ensure that Eve only 
has a negligible amount of information about Alice and Bob’s key after the 
protocol. One measure of information used to quantify Eve’s information 
was the accessible information. If Alice and Bob share a key, K, after the 
QKD protocol and Y is a random variable that describes the outcome of 
a measurement Eve applies to her system after the protocol, then the ac¬ 
cessible information is defined as the mutual information I{K : 7). Then 
security was defined as 

0, (3.1) 

for all possible strategies Eve can use to attack the protocol and measure¬ 
ments she can perform on her system. Since mutual information is a mea¬ 
sure of correlations between the random variables (K and Y in this case) 
and the operational interpretation of the mutual information as a quan¬ 
tification of the correlations between two systems (Section 2.4), it was 
thought that this definition captures the intuitive meaning of security. 

However, the accessible information was shown to not be secure. Us¬ 
ing the accessible information assumes that Eve does a measurement after 
the QKD protocol that is independent of any other information she could 
learn through a future protocol that uses the key. Eve could do a measure¬ 
ment that does depend on new information she learns during such future 
protocols. Indeed, an example was presented in [KRBM07] that shows 
that Eq. 3.1 can be satisfied and Eve can still gain information about the 
key. If the key is split into two parts K = K } K 2 and Eve delays the measure¬ 
ment of her system until she finds out the first part of the key JQ, then it is 
possible that I(K 2 : Y') » 0, where Y' is obtained from Eve measuring her 
system using her knowledge of K 1 . 

This kind of security loophole is a lack of composability (see Sec¬ 
tion 3.2.4), since a part of the key is not secure when composed with the 
public revealing of another part of the key. We therefore want a security 
definition that can be composed with arbitrary other protocols and what¬ 
ever part of the key Alice and Bob keep secret should still remain secure. 

Since the discovery of the lack of security of the accessible informa¬ 
tion [KRBM07] a new definition has been proposed, which we use here 
[KRBM07, Ren05, PR14b] . The definition that we use has both an oper¬ 
ational interpretation that agrees with the intuition we have for security 
(Eve has negligible information about Alice and Bob’s shared key) and is 
also composable. We first introduce the greater framework in which cryp¬ 
tographic security can be defined in general and then state our definition 
of security for QKD. 


59 



3. Security Proofs 


3.2.3 Abstract Cryptography 

Throughout this chapter we will consider QKD in the cryptographic 
framework known as Abstract Cryptography (AC) [MR11]. This frame¬ 
work takes a top-down approach to cryptography, where protocols are 
abstract black boxes that perform pre-defined actions by taking inputs 
from, and giving outputs to, various parties, some who are honest and 
some who are adversarial. Other approaches build up a framework in 
a bottom-up way by starting to define a computation or communication 
model [PWOO, CanOl], but we want to avoid the details here of the indi¬ 
vidual components of protocols by using the AC framework instead. 

The AC framework is helpful to define security in an abstract and 
precise way. While we will not define the AC framework explicitly here, 
we will introduce some notions that help to define and understand security. 
For more details on this framework, see [PR14b, MR11]. 

Two kinds of protocols in AC are the ideal protocol and the real pro¬ 
tocol.' For QKD, the ideal protocol runs a simulation of the real protocol 
and if the simulated protocol succeeds then Alice and Bob are given newly 
constructed identical secret keys and Eve gets no information about these 
new keys (Fig. 3.1a). If the simulated protocol fails then Alice, Bob, and 
Eve are notified that the protocol failed. Note that Eve learns whether the 
protocol succeeded or failed but she never learns anything else. 

The real protocol is the model of what actually happens, where Eve 
is allowed to attack quantum communication between Alice and Bob and 
can get information about the key Alice and Bob are trying to construct 
(Fig. 3.1b). Note that this is a very general model that encompasses any 
possible quantum channel Alice and Bob use and any attack strategy by 
Eve that is allowed by quantum mechanics. 

Security is defined as the distance between the states shared by Alice, 
Bob, and Eve from the ideal protocol and the real protocol. To define this 
distance, we use the notion of a distinguisher. A distinguisher in QKD is an 
agent who has complete control of all inputs and outputs of Alice and Bob 
in a QKD protocol. The distinguisher may use any strategy (i.e. choices of 
inputs and interactions with outputs) to try to distinguish the real protocol 
from the ideal protocol. 

The distinguisher has a distinguishing advantage e = 2p - 1 if the dis¬ 
tinguisher can distinguish between the real and ideal protocol with prob¬ 
ability p. Note that the distance measure that describes the distinguishing 

2 In the AC framework these are usually called real and ideal systems. However, to avoid 
confusion with quantum systems, we call these entities protocols. 
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Alice Bob 



(a) The ideal QKD protocol. A simulation of the 
real protocol is performed. If the simulation 
succeeds then Alice and Bob get access to a 
shared secret key. If the simulation fails then 
Alice and Bob get symbol _L that indicates a 
failure. 




Authenticated 

Classical 

Channel 


Aliro Insecure 
Quantum 
Channel 


Eve 



k B ,l 


(b) The real QKD protocol. Alice and Bob have protocols they 
perform by interacting with an authenticated classical channel 
and an insecure quantum channel that Eve can attack. Alice tries 
to send state p to Bob, which Eve may interfere with and send 
another state p' to Bob instead. Eve also gets a copy of the 
classical communication C sent through the authenticated 
classical channel. At the end of the protocol Alice and Bob have 
k A and k B respectively or the protocol aborts and they get the 

symbol X. 


Figure 3.1: The real and ideal QKD protocols [PR14b]. 
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advantage is the trace distance (Defn. B.3.4) due to its operational inter¬ 
pretation. If two states p and cr are given to a distinguisher that has to 
distinguish which state they have, the probability of guessing correctly is 
given by 1/2 + 1/2D(p, cr). The amount by which the distinguisher can do 
better than randomly guessing is the advantage, given by l/2D(p, cr). 

The distinguishing advantage is used as a definition for security since 
the distinguishing advantage implies that AC protocols can be composed 
with other protocols and they still remain secure. 


3.2.4 Composability 

It is important that protocols can be composed with other protocols 
to form new protocols and the security should not be compromised by 
this composition. If a protocol can be composed in any way with any 
other protocol, and the statement of its security still holds, then it is called 
universally composable. 

For example, part of the key from QKD could be used to form an 
authenticated classical channel. It is crucial that the rest of the key that 
is not used is still secure, even if Eve has kept her state from QKD in a 
quantum memory and then measures her state using new information she 
gains from the authentication protocol. It is important that the part of the 
key that is used for authentication can be used as if it were a secure key, 
even though it is only approximately secure. 

The distinguishing advantage implies that the protocol is universally 
composable. Formal proofs of the composability of protocols whose se¬ 
curity is characterized by the trace distance can be found in [BOHLM05, 
MQR09, MR11, Maul2, PR14b], 

Composition can be broken up into two scenarios: sequential and 
parallel composition. Sequential composition is where a protocol uses out¬ 
puts of a first protocol as inputs to a second protocol (such as the example 
described above). Parallel composition is where two protocols are run si¬ 
multaneously and are combined to be considered as one protocol. 

Sequential composition can be proven by using the triangle inequality 
for the distinguishing advantage. If one protocol is secure except with 
probability e then we call it e-secure. If one protocol is ex-secure and 
another is e 2 -secure then these two protocols together are (ex + e 2 )-secure. 
Parallel composition comes from a similar argument. For further details, 
see [MR11, Maul2, PR14b], 
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We can now use the trace distance to define security that is com- 
posable. We decompose security into two separate notions: secrecy and 
correctness [Ren05, TLGR12, HanlO], These simplify the process of prov¬ 
ing security by reducing it to concrete statements about Alice’s and Bob’s 
strings and Eve’s quantum state as opposed to having to deal with the 
abstract ideal and real protocols. 


3.2.5 Secrecy 

Secrecy for QKD is the notion that Eve does not have any information 
about Alice’s key. Secrecy is defined as the distance between the shared 
state of Alice and Eve in the real protocol and ideal protocol (see Sec¬ 
tion 3.2.3). 

It is helpful to consider the distance between the states in the ideal 
protocol and real protocol as being decomposed into two scenarios: one 
where the protocol aborts and one where the protocol does not abort. 
Note that when the protocol aborts, Alice’s key is trivial, which means 
that the distance between the real and ideal state in the two protocols is 
zero, since Eve’s state is the same in both protocols. In the ideal protocol, 
Eve has no information about Alice’s state and Alice’s state is uniformly 
random whenever the protocol does not abort: p^ ss := 1 A /d A <g> p E . This 
means that the distance between the ideal protocol’s state p^ and the real 
protocol’s state p M is 

11 PAE PaE 11 ! <PaborfO + (l “ Pabort) \\PaT ~ Pm* || i » (3-2) 

where the latter states are conditioned on not aborting. This leads to the 
formal definition of secrecy [BOHLM05, KRBM07, Ren05], 


Definition 3.2.1 (e-secrecy). A protocol is e-secret if for any state p p ^ s e 
the state of the shared system between Alice and Eve after a QKD 
protocol (conditioned on not aborting) satisfies 

a-p*r,)i>(pr.^®prjs^ (3.« 

where p aboit is the probability of aborting the protocol and d A is the dimension 
of-^A- 


This definition means that the state after the real protocol is close to 
the ideal protocol (Fig. 3.1a), i.e. the real protocol’s state is close to the 
situation where Alice’s string is uniformly random and independent of Eve. 
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Also, since we performed the same protocol inside the ideal protocol, Eve 
has the same state in the ideal protocol: p^ ass = Tr A (p^ ss ). 

Importantly, the secrecy definition does not specify anything about 
the state p^‘ ss . Therefore, the real or ideal protocols are secret regardless 
of how Eve tries to attack them. We want to be sure that our security 
definition ensures that Eve does not have any useful information about 
the key It turns out that Defn. 3.2.1 implies that Eve does not get any 
information (with high probability), which is another reason why we use 
the trace distance for our security definition [KRBM07] . 

Another way of interpreting the security definition other than the dif¬ 
ference between the ideal and real protocol’s states is given by the follow¬ 
ing lemma. If the distinguisher has a distinguishing advantage of e then 
the keys are exactly the same as the ideal keys, except with probability e. 

Lemma 3.2.2 (Lemma 1 of [RK05], Prop. 2.1.1 in [Ren05], Corr. A.7 
in [PR14b]). Given two probability distributions P x and P', over the same 
alphabet, there exists a joint distribution p xx' such that Px and P', are the 
marginals of Pxx' such that 

Pr [x^x']<D(P x ,P'l (3.4) 

(*.*') 


A proof of this lemma can be found in [PR14b] . 

To see how this lemma implies the second interpretation of the se¬ 
curity definition above, consider the following scenario. Let us assume 
Eve uses a strategy to measure her system to try to find out A and gets a 
classical outcome W. Let P AW be the distribution of Alice’s key and Eve’s 
outcome in the ideal scenario, and P A] y be the distribution in the real pro¬ 
tocol. Then Lemma 3.2.2 says that we can construct a joint distribution 
p awaw with the property of Eq. 3.4. Now we define the event 

Q:= [A = A and W = W], (3.5) 

where the ideal and real protocols have the same output. Lemma 3.2.2 
implies that the probability that fl does not occur is 

Pr[-iQ] < D(P aw 

> p aw )• (3.6) 

Since the ideal case is secure, if the event Q happens on a run of the pro¬ 
tocol, then the real protocol is also secure. Lemma 3.2.2 together with the 
definition of security and the fact that the trace distance only decreases 

3 This interpretation is from Christopher Portmann. 
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under CPTP maps (Lemma. B.3.9, where here the CPTP map is Eve’s mea¬ 
surement to obtain W from E) implies that 

Pr[0] > 1 - D{P AW ,P M ) > 1 - D (p^ ss , ^ ® p £ j > 1 - e. (3.7) 

This means that the real protocol is completely secure except with proba¬ 
bility e. This gives an operational interpretation to e: it is the probability 
of failure for the protocol conditioned on not aborting. 

3.2.6 Correctness 

Next we have the definition of approximate correctness of a QKD pro¬ 
tocol. This definition is straightforwardly motivated since we want to be 
sure that Alice’s and Bob’s keys are almost always the same. We just re¬ 
quire that the probability of their keys being different is low. 

To make this definition we first define Alice’s and Bob’s keys at the 
end of the protocol as K A and K B respectively. If the protocol succeeds 
then these keys will represent the strings that Alice and Bob have. If the 
protocol aborts, then we will write K A = _L and K B = _L to denote that Alice 
and Bob know that the protocol aborted. 

Definition 3.2.3 (e-correctness). LetK A and K B be the random variables for 
the strings that Alice and Bob have at the end of the QKD protocol respectively. 
Then the protocol is e-correct if 

Pr [K A jLK B ]<e. (3.8) 

We can now combine secrecy and correctness to define security. Since 
we want the protocol to be indistinguishable from a secret and correct 
protocol, we can combine these two properties in the following way. 

3.2.7 Security: Combining Secrecy and Correctness 

Security is defined as a protocol that is both correct and secret (see the 
above sections). The precise definition of security can be somewhat con¬ 
fusing in that it is defined differently throughout the literature. Sometimes 
security is defined just as secrecy; or sometimes as secrecy, correctness, and 
robustness. Here, we clearly state security as an operational combination 
of secrecy and correctness. Robustness will be added as a separate criteria, 
and while robustness is considered an essential property of a protocol, it is 
not included in the security definition itself. 
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Definition 3.2.4 (e-security). Let pZ} E € S(J£ ABE ') be the state of the shared 
system between Alice, Bob, and Eve after a QKD protocol, conditioned on not 
aborting. Then the protocol is e-secure if under any attack strategy by Eve: 

(1 - Pabort)® (pZ S E> Pab ® PjT*) - £ ’ C 3 - 9 ) 

where p aEort is the probability of aborting (which is the same for the real and 
ideal protocols) and p s ff := 1/2^ \k,k){k,k\. 

Note that we do not need to define security conditioned on not abort¬ 
ing but instead we can define security as the trace distance between the 
real protocol’s state p ABE and p^' 2 0 p E , where p^ 2 := (1 - p a bort)pl| c + 
P abort I-U-L)(-L, -L|. However, as with the definition of secrecy, this defini¬ 
tion is equivalent to Eq. 3.9 since Alice’s and Bob’s strings are trivially the 
same in the real and ideal protocols when they abort (since they get the 
symbol _L when the protocol aborts) and Eve’s state is also the same in both 
protocols conditioned on aborting (since she only knows that the protocol 
has aborted and nothing else). 

In addition, the definition of security does not make any assumptions 
about the state shared by Alice, Bob, and Eve. This means that Eve can do 
any attack allowed in the ideal and real protocols. 

Now we can show the relationship between secrecy, correctness and 
our definition of security. 

Theorem 3.2.5 (e-security). If a protocol is e S£C -secret and e cor -correct then 
the protocol is e-secure, where e = e sec + e cor . 

We include a proof of this theorem here, since this theorem is essential 
to define security from the definitions of secrecy and correctness for QKD. 
To see why the sum of the parameters for secrecy and correctness can be 
used for secrecy, we use the following proof from [PR14b], The proof 
follows from the triangle inequality for the trace distance. 

Proof First, we define Pk A ,k B to be the probability that Alice and Bob get 
keys k A and k B conditioned on the protocol not aborting. Also, we define 
the quantum state Alice, Bob, and Eve share after the real protocol, p ABE , 
which can be written as a CQ state (Defn. 2.2.6): 

Pabe :=Pabortl-U-L}(-U-L| ®P £ + ^Pk A ,k B \ k A’ k B)^A,k B \® p k E ks • (3.10) 

k A M B 

If we define the state 

Tabs ■= Tyy^-X Pk A ,kJk A ,k A )(k A ,k A \® p k E A ’ kB , (3.11) 

t Pabort i. r. 

k a, k r 
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where Alice and Bob share the same key and Eve is independent of their 
keys, then by using the triangle inequality we get 

D (P^£> Pm ® Pf SS ) ^ D (Pabb > Tabs ) + D (yabe, Pm ® pf 55 ) ■ (3.12) 
Note that we can write pj^“ using Eq. 3.10 as 

pZe = -Z Pk A ,k B \k A ,k B )(k A ,k B \ ®p^, (3.13) 

-*■ Pabort i. t 


and therefore, by using the strong convexity of the trace distance (Theo¬ 
rem B.3.10) 

D (pabe’Yabe) (3.14) 

< z n PkA,kB d f\k A ,k B )(k A ,k B \^ P y^\k A ,k A )(kM^ 

/-r 1 1 - P a hnrt V J 


= Z /_ kA,kB = (3-16) 

k A jtk B ^ Pabort Pabort 


For the other term in Eq. 3.12 note that Jabe an d Pm ® p{f' SS both have the 
B system as a copy of the A system. Also, we know that Tr bYabe = Tr B p^ s . 
Using these facts and that the trace distance does not increase under CPTP 
maps (Lemma B.3.9, in this case the map is the trace over the B system) 
we get 


O (r’^B£.p“®Pr SS ) = D (tae. ^®pjj“j (3.17) 

= D ( P r .^® pr ). ( 3 . 18 ) 

Combining Eq. 3.16 and Eq. 3.18 gives us 

(1 -PabortP {pME’P m 0 pf ss ) (3.19) 

< Pr[lC4 7^ K b ] + (1 - p a b or t)D (p^ ss , y 0 pf SS ) (3.20) 

— ^cor "h £ S ec> (3.21) 

which implies that security (i.e. both secrecy and correctness at the same 
time, Eq. 3.19) is bounded by s sec + e cor . □ 

Note that through Lemma 3.2.2 we can interpret security in a similar 
way to secrecy. This means that the security definition Eq. 3.9 can be 
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interpreted as Alice’s and Bob’s keys are the same and independent of Eve, 
except with probability e. 

Also, sometimes the definition of security is defined as 



(3.22) 


such as in the published version of [TLGR12] or [Toml2, Furl4] . However, 
this definition is only known to be composable in parallel with an extra 
factor of 2 (see [PR14b]). Therefore, it is important to use the definition 
stated above, Defn. 3.2.1. 


3.2.8 Robustness 

As mentioned in the introduction to this section, security is not suffi¬ 
cient for a QKD protocol, since a trivial protocol that outputs empty strings 
for Alice and Bob is secure. Therefore, we also need robustness to make 
sure that any protocol we consider is not only secure, but outputs keys of 
non-trivial size. 

Definition 3.2.6 (e-robustness [PR14b]). A QKD protocol is e-robust if the 
probability of aborting the real protocol when Eve does not attack the protocol 



Note that to determine when Eve does not attack the protocol, 

a model of the quantum channel between Alice and Bob is required. If 
they know this model then they can calculate the probability that they will 
abort by estimating an error rate that is beyond the threshold allowed by 
the protocol. 

Now that we have defined robustness, we discuss the classical post¬ 
processing that is performed after the quantum stage of the QKD protocol 
in order to use some classical results to simplify the problem of proving 
security. 


3.3 Classical Post-Processing 


Technically, proving security just entails showing that Eq. 3.9 holds. 
While there may be many ways to do so, we use some standard techniques 
that allow the reduction of the problem to one that is more easily proved. 
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For example, security can be reduced to the problem of proving a lower 
bound on the entropy of Alice conditioned on Eve. These techniques come 
from the analysis of the classical post-processing performed after the quan¬ 
tum stage of QKD. These are broken down into (in reverse chronological 
order): privacy amplification, information reconciliation, and parameter 
estimation. 

In this thesis we focus on discrete variable protocols, where finite¬ 
dimensional Hilbert spaces are used, though some of these results apply 
just to classical strings and therefore are protocol independent and can be 
applied to continuous-variable protocols as well. 


3.3.1 Privacy Amplification 

Privacy amplification is the process of removing any residual informa¬ 
tion that Eve may have about the key after all the other steps in the QKD 
protocol. This subprotocol can be achieved by using randomness extrac¬ 
tors. Randomness extractors are functions that take a source of random¬ 
ness as input, e.g. a string with a lower bound on its entropy, as well as 
a small uniformly random string called a seed, and output an almost uni¬ 
formly random output that is longer than the seed. We are interested in 
not just extracting randomness but extracting randomness with respect to 
a quantum adversary. We are also interested in an extractor that is strong, 
where the seed and output string are independent of each other. Together, 
we want a strong randomness extractor against quantum adversaries, de¬ 
fined here. 

Definition 3.3.1 (Quantum-Proof Strong Randomness Extractor, Defn. 3.2 
in [DPVR12]). A (/c, efstrong quantum-proof randomness extractor, Ext, is 
a function from {0,1}" x {0, l} d to {0, l} m if for all CQ states p XE with a 
classical X e {0, l} n with min-entropy H min (X|E) p > k and a uniform seed 
Y e {0, l} d we have 



(3.23) 


There are two main randomness extractors used for privacy amplifi¬ 
cation in QKD: the leftover hashing lemma [McI87, ILL89, IZ89, Ren05] 
and Trevisan’s extractor [DPVR12, MPS12]. 

4 Note that {0,1}" is the set of bit strings of length n. 
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Leftover Hashing 

Informally, the leftover hashing lemma shows how much randomness 
can be extracted from a classical source that has at least a certain amount 
of min-entropy. This lemma has also been generalized to the case where 
there is a quantum system that has correlations with the classical source 
[TSSR10, Toml2], For QKD this means we can prove a lower bound on 
the min-entropy of Alice’s string given Eve’s quantum system. The set of 
functions that achieve this randomness extraction is called a two-universal 
family of hash functions. 

Definition 3.3.2 (5-almost Two-Universal Hash Functions [CW79]). Let 
5 > 0 and let f be a function in a family (i.e. a set) & with input space 
3T and output space r S/. Then & is a 5-almost two-universal family of hash 
functions if 

Pr [/(x) = /(x')] <5, (3.24) 

for any x x' e SC. & is a two-universal family of hash functions if 5 = 

i/m. 

In addition, a family of two-universal hash functions always exists 
from {0, l} n (i.e. the set of strings of n bits) to {0, l} 1 for all integers n 
and t [CW79, WC81, Ren05]. A family of 5-almost two-universal hash 
functions always exists from 2F r to & for 5 = (r - 1)/[^|, where r is an 
integer and & is a field [TSSR10], 

An example of a family of two-universal hash functions is the set & = 
{/cJaejo.i}" with functions mapping from strings of bits {0,1}" to {0, l} f by 

/ a (x) = x • a mod 2^, (3.25) 

where x • a is multiplication in the field GF(2 n ) [CW79, TSSR10] (see 
Section B.l). To see why this family is two-universal, notice that 

Prl^-a mod 2 f = x' ■ a mod 2 f ] 

“ r , -i (3.26) 

= Pr |_(x - xO -a mod 2 l = Oj . 

To interpret this probability we will use the isomorphism between strings 
and elements of a finite group. A string of bits can be represented as mem¬ 
bers of GL( 2 l ) by representing the string modulo 2 l . Eq. 3.26 implicitly 
contains the isomorphism from strings of length n to the field GL(2 n ) in 
order to perform the multiplication (x — x') ■ a. 

Let us now consider the outcome of the multiplication (x-xO-a for all 
possible values of a. If we let a be a non-zero element of GL(2 n ) then we 
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can either write a = a-’ or a = 0 and write (x—x') = a k for j, k e {0,..., 2 n - 
2}. Then by varying j from 0 to 2 n - 2 and including a = 0 the set of re¬ 
sults of the multiplication (x — x')-a is {a k , a k+1 ,. . .,a 2 " -2 , l, a,.. . ,a fc_1 ,0}, 
which is just a permutation of the elements of the field. This fact shows 
that the mapping a —* (x— x')-a is bijective. Now to take (x— x')-a modulo 
2 f we apply an isomorphism from GL(2 n ) to the integer set {0,1, • • •, 2 n }. 
Since the mapping on a is bijective, each of these integers appears once, 
and therefore taking them modulo 2 e will mean each value {0, • • • , 2 l - 1} 
will appear with equal probability since 2 C divides 2 n : 

Pr|"(x — x')-a mod2^=0]=-r, (3.27) 

a L J 2 l 

and hence this family is two-universal. 


An example of a family of o-almost two-universal hash functions is 
the set & = {/ a } ae F f° r an y field F (see Section B.l), where f a maps from 
F r to F by 

r 

/a(x i,...,x r ) = ^]x i a r_I , (3.28) 

;=i 

where x = (x x ,..., x r ) [TSSR10] . This family is 5-almost two-universal for 
5 = (r - 1)/|F| since 
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= Pr 
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J](x i -x l 0a'- 1 = 0 

_i=t ;= i 

r - 

_i=l 

1 


- |F| ’ 


(3.29) 

(3.30) 


where the last step comes from the fact that a polynomial (in this case, 
in a) of order r - 1 has at most r — 1 roots, and a is chosen uniformly at 
random out of the elements of F. 


The motivation for considering o-almost two-universal functions as 
well as two-universal ones is so that we can minimize the amount of ran¬ 
domness necessary for Alice and Bob to implement the hashing. Alice 
needs to have enough uniform randomness to pick the hash function from 
the family that she then applies to her string. This randomness can be dif¬ 
ficult to obtain and therefore we want to minimize the amount of uniform 
randomness needed in the protocol. 

The amount of randomness required to choose the function / from 
a family of two-universal hash functions (if n is the length of the input) 

5 A bijection is a function where every input of the function has a unique output and 
every output of the function has a unique input. 
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is O(n) [CW79], while for 5-almost families the amount of randomness is 
0(f) [Sti94] . While the analysis can be more complicated with 5-almost 
families, they can reduce the amount of randomness (and communication) 
needed in a run of a QKD protocol. Also, we will use hash functions in the 
information reconciliation step (see Section 3.3.2), which will minimize 
the amount of randomness and communication required there as well. 

With the definition of a family of two-universal hash functions we can 
now present the leftover hashing lemma. 

Lemma 3.3.3 (Leftover Hashing, Corollary 5.6.1 in [Ren05]). Let K e Jtf 
be a random variable, E be a quantum system, and let & be a two-universal 
family of hash functions from e {0,1 } n to X' e {0, l} f . If we define the 
states 

p f K j = l/OOX/GOI, Pk'ef (3.31) 

/ ejf 

then 

D ^Pk'ef,^ ® Pef^ < £ + 2"i (H ^ W£) “ n “ 1 . (3.32) 

This lemma can also be stated in a similar form using 5-almost uni¬ 
versal hashing functions [TSSR10]. 

To understand how this lemma is useful, consider that Eve gets access 
to the function / that Alice and Bob use for hashing since they communi¬ 
cate / through the authenticated classical channel. This means that Eve’s 
state is her quantum system from before privacy amplification plus a de¬ 
scription of the function /. If we compare Eq. 3.32 to Eq. 3.3, we see that 
Eve’s system in the definition of secrecy E is the system EF for leftover 
hashing. Also, Alice’s system here is K', while in the secrecy Alice’s system 
was written as A. 

We will only need the leftover hashing lemma when the protocol 
does not abort and therefore we are implicitly conditioning the states in 
Lemma 3.3.3 on the event that the protocol has not aborted. This means 
that instead of trying to bound the trace distance to prove secrecy, we can 
now try to bound the min-entropy H^^KlE). If we take the log of Eq. 3.32 
then we can rewrite it as 

- 2 log (d (^p K 'ef, ^ j + 21oge - 2 - 21 > H E mia (K\E). (3.33) 

This means that to upper bound the trace distance, we can instead try to 
lower bound the smooth min-entropy of Alice’s state conditioned on Eve’s 
state. 


72 



3.3 Classical Post-Processing 


The leftover hashing lemma is also optimal, in the sense that very little 
randomness and communication is necessary and it gives an exponentially 
tight bound on the trace distance for secrecy by the min-entropy [Ren05], 
This exponential bound is the kind of scaling that is necessary for efficient 
QKD. See Section 3.3.4 for more details. 


Trevisan’s Extractor 

Another way of relating the trace distance to the min-entropy is by us¬ 
ing Trevisan’s extractor. This extractor achieves the same goal as what the 
leftover hashing lemma accomplished: by using a small amount of ran¬ 
domness to choose a function from a family of two-universal hash func¬ 
tions the secrecy trace distance could be upper bounded. 

Trevisan’s extractor is a classical randomness extractor [TreOl] that 
is also a quantum-proof randomness extractor [DPVR12, MPS12]. Sim¬ 
ilarly to 5-almost universal hashing, this extractor requires 0(f) bits of 
communication (see Defn. B.2.1). However, it requires a seed of size 
0(log 2 (n/e)logf) as apposed to a seed of size 0(f) as in leftover hashing. 
Therefore Trevisan’s extractor is more efficient in the amount of random¬ 
ness necessary compared to leftover hashing. 

The details of the function used to implement this extraction can be 
found in [TreOl, DPVR12]. Trevisan’s extractor is particularly useful for 
proving security when assuming that Eve has a limited memory at her 
disposal (called the bounded storage model ) [Mau92, DV10]. 


3.3.2 Information Reconciliation 

By using the leftover hashing lemma (Lemma 3.3.3) or Trevisan’s ex¬ 
tractor the problem of proving a QKD protocol is secret (Defn. 3.2.1) has 
been turned into the problem of lower bounding the conditional smooth 
min-entropy, H A n (K|E) of a classical string, K, conditioned on Eve’s quan¬ 
tum state, p E . But we also need to be able to make sure that the protocol 
is correct, which can be accomplished by using an error correcting code 
to correct any errors between Alice’s and Bob’s strings. These errors can 
be due to Eve, noise in the quantum channel, and/or devices used in the 
protocol. 

The task of classical error correction is to correct errors in a string 
(for example, the communication from a noisy channel), while classical 
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information reconciliation is to turn two strings with correlations into two 
strings that are the same by possibly changing both of them. However, 
it is usually easier to consider information reconciliation in the special 
case of error correction, where Bob corrects his string to make it the same 
as Alice’s (which is called direct reconciliation). Alice and Bob can also 
do reverse reconciliation where Alice corrects her string to be the same 
as Bob’s. We consider direct reconciliation here for the simplicity of the 
presentation. 

Consider the following scenario at this point in the protocol. Alice has 
a string K A and Bob has a string K B that may be different from K A , while 
Eve has a quantum state p E that may have correlations with K A and K B .' 
Alice wants to send some function of her key to Bob so that Bob can use 
this information and K B to reconstruct K A . 

What is known from parameter estimation is an estimate of the er¬ 
ror rate and an upper bound on the smooth max-entropy of Alice’s string 
conditioned on Bob’s (see Section 3.3.3). If these things are known then 
the only thing that Bob does not know is where his errors are in his string. 
Explicit error correcting codes define what communication is necessary so 
that Bob can find out where his errors are and correct them. 

Two examples of explicit error correcting codes are low-density parity- 
check (LDPC) codes [Gal63] and polar codes [Ari08] . These codes provide 
an important advantage over other codes in that they are computationally 
efficient, achieving speeds that can be orders of magnitude faster com¬ 
pared to other codes. In certain cases, polar codes perform better than 
LDPC codes [JKJ13]. Also, both codes only require communication in one 
direction and with one message, while other codes can require communi¬ 
cation back and forth over many rounds. There are explicit codes in the 
notes [Ste06] or the books [Ham80, MS77, Jon79, Hil86]. 

Both LDPC codes and Polar codes are linear block codes, which mean 
that the message that Alice needs to send to Bob in order for him to correct 
his errors is given by the multiplication of Alice’s string with a matrix. 

LDPC codes use the parities of small sets of bits. Alice can compute 
the parities of small subsets of her string and send them to Bob. There are 
several algorithms available for Bob to use these parities with his string to 
find out where his errors are. 

6 In the previous sections we have used K A and K B to denote the keys of Alice and Bob 
that may include the aborting outcome _L. However, in this section we will consider K A and 
K b to be conditioned on not aborting given Alice and Bob’s results in parameter estimation. 
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Polar codes use a particular matrix to be applied to Alice’s string that 
can be made in a recursive way. For example, if Alice’s string has a length 
that is a power of 2, her matrix is constructed by using 



n times 

to get the matrix F® n = F 0 F 0 • • • ® F. Other matrices can be similarly 
constructed if Alice’s string is not a power of 2. 

Alternatively, it is not necessary for Alice and Bob to estimate the num¬ 
ber of errors in parameter estimation for the error correction procedure. 
They can do their estimation before the QKD protocol by running a short 
version of the quantum stage of the protocol. Bob can communicate his 
measurement results to Alice through a classical channel that is not nec¬ 
essarily authenticated. Alice and Bob can then estimate how many errors 
they will have when they run the actual QKD protocol. This method has 
the advantage that Alice and Bob can choose which error correcting code 
they will use for the protocol that is optimized for the number of errors 
they expect. 

In the case where there is no eavesdropper and Alice and Bob estimate 
their errors before the QKD protocol, a good estimate can be found for the 
number of errors Alice and Bob will have when they run the QKD protocol 
due to noise in the quantum channel and their devices. If there is an 
eavesdropper then their estimated error rate may be wrong and therefore 
Alice and Bob will need to check to see if their error correction succeeds 
or fails during the QKD protocol. Note that Bob does not have access to 
Alice’s system, so neither Alice or Bob know if error correction succeeded 
or not. We can use two-universal hash functions again (Defn. 3.3.2) for 
this checking procedure. 

Alice can (uniformly at random) choose a two-universal hash function 
from a family of such functions and apply it to her key. Alice then sends 
the function / cor and the evaluation of the function f cor (K A ) to Bob, who 
computes the function on his key f cor (K B ). If the hash values are equal, 
then with high probability Alice’s and Bob’s keys are the same. Due to 
the defining property (Defn. 3.3.2) of families of hash functions, it is clear 
that the QKD protocol is e COI .-correct if two-universal hash functions are 
used with an output space of 2 _ r i °g( 1 / e cor)l j since 

Pr [fcoM = / cor (K B ) | K a # K b ] < 2 - r io sDAcor)l < ^ (3.35) 


75 





3. Security Proofs 


which implies that 

Pr [fcoM = f CO r(K B ) | K a ^ K b ] Pr [K a # K B ] (3.36) 

'-v- /S -V-' 

<*cor <1 

= Pr [K a # K b I f cor (K A ) = f C0I (K B )] Pr [f cor (K A ) = f cor (K B )], (3.37) 

"-v-' 

=1 

where we use the fact that the protocol aborts when f cor (K A ) / f cor (K B ). 
Therefore we have 

Pr [K a # K b | f cor (K A ) = / cor (fC B )] < e cor , (3.38) 

which means that Alice’s and Bob’s strings are the same after error correc¬ 
tion if their hash values agree, except with probability e cor . 

For security we need that the keys that are put through the hash func¬ 
tion in privacy amplification are correct. If the keys K A and K B after in¬ 
formation reconciliation are the same (which happens with probability at 
least 1 - e cor ) then their hashes are guaranteed to be the same, which 
implies that the protocol is e cor even after privacy amplification: 

Pr [f P M 7^ f pa (K B )] < Pr [K a ? K b ] < e cm , (3.39) 

where f pa is the hash function applied in privacy amplification. 

Note that this checking procedure guarantees that the protocol is c cor - 
correct without needing to make any assumptions about the error rate 
or the error correcting code. Alice and Bob can therefore employ any 
error correcting code and can check their errors before the protocol, even 
without the use of an authenticated channel. 

It is important to know how much information has been leaked to Eve 
during the error correcting code. Typically, all of the bits of communication 
sent from Alice to Bob in the error correction protocol are considered to 
be leaked bits of information to Eve. The amount of communication will 
depend on the particular error correcting code used. The fundamental 
limit on the minimal amount of communication necessary for finite-key 
QKD was recently analyzed in [TMMPE14]. There are also upper bounds 
on the amount of leaked information to Eve under various assumptions in 
[RR12, Ren05, RW05, SR08a, SR08b], 

The communication that leaks information to Eve can be accounted 
for with privacy amplification by removing the classical information from 
Eve’s system before error correction by using a chain rule for the min- 
entropy. If C is the classical communication about the key that Eve learns 
from error correction, then [TLGR12] 

H minOy£C) > H^K a \E) - log |C|, (3.40) 
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where |C| is the number of strings that are the same length as C. This 
means that if a lower bound on H ^ in (K A \E) can be shown then H^- n (K A \EC) 
will also be lower bounded and therefore the protocol can be proven se¬ 
cure. 


We have reduced proving correctness to estimating the number of 
errors, either through parameter estimation in the QKD protocol or by 
doing an estimation procedure before the protocol. It still remains to show 
that H h min (K A \E) is lower bounded so that the protocol is approximately 
secret. For example, this proof can be done by bounding the max-entropy 
(see Section 3.4.2). The max-entropy can be estimated from the number of 
errors between Alice’s and Bob’s string, which is one of the possible goals 
for parameter estimation. 


3.3.3 Parameter Estimation 

After the quantum stage of the QKD protocol, Alice and Bob have to 
estimate the error rate between their strings K A and K B . This rate will up¬ 
per bound the smooth max-entropy. If the error correcting code is checked 
by using hashing, then it is not necessary to estimate the error rate or 
max-entropy during parameter estimation for the information reconcili¬ 
ation step. However, as we will see in Section 3.4, an estimate of the 
max-entropy of Alice’s string conditioned on Bob’s string can be used to 
prove a lower bound on the min-entropy of Alice’s string conditioned on 
Eve’s state, which proves that the protocol is secret (see Section 3.3.1). 

Parameter estimation can be dependent on what kinds of assump¬ 
tions are made in the model of the protocol. These assumptions will be 
discussed in Chapter 4. However, parameter estimation can be performed 
for many protocols independently of these assumptions. We break down 
its discussion into two scenarios: the finite-key and infinite-key scenario. 
The infinite-key scenario is just the limit as the number of signals goes to 
infinity (see Section 3.4.1). 

One way to perform parameter estimation is for Alice to send a uni¬ 
formly random subset of her string to Bob along with the positions that 
describe her subset. Bob will compare this subset with the same subset 
of his string and announce the ratio of the number of errors between the 
subsets and the length of the subset. If this ratio is above a threshold, A max , 
they will abort the protocol and otherwise they will continue. 

Another way to perform parameter estimation is to do it simultane¬ 
ously with information reconciliation. One such protocol is the cascade 
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protocol [BS94]. This protocol compares the parity of small sets of bits to 
see if they are the same or not. If the parities are different then Alice and 
Bob will do an error-correcting procedure on this set of bits. Alice and Bob 
repeat the checking of several parities for different randomly-chosen sets 
of bits to correct their errors. By checking these parities, Alice and Bob 
can also estimate the number of errors between their strings. The cascade 
protocol is less efficient than the information reconciliation protocols from 
Section 3.3.2, so we do not consider it here. Instead, we focus on parame¬ 
ter estimation that is done completely prior to information reconciliation. 


Finite-Key Parameter Estimation 

Bob can apply one of several bounds to estimate the total error be¬ 
tween Alice’s and Bob’s strings using the subset that Alice communicates. 
The tightest of these for our purposes is due to Serfling [Ser74] . Serfling’s 
inequality is an improvement on a bound by Hoeffding [Hoe63], which is 
related to bounds by Chernoff [Che52] . For our purposes Serfling’s bound 
can be stated as follows. 

Lemma 3.3.4 (Serfling’s Inequality [Ser74]). Given a set of random vari¬ 
ables K i with values k t e {0,1}, where i e [N], we define the average as K := 
l/jV^T =1 lQ. If a sample (without replacement) of size n out of {K^i is taken 
with values Xj, where j e [ n], then its average is defined asX := l/n^" =1 X ; -. 
Let k = N — n and 0 < /3 < 1. Then 

2/3 2 nN 

Pr [X>K + /3] < 6 fc+1 (3.41) 


This inequality means that the probability that the sample average 
is bigger than the total average is exponentially small in the sample size. 
The weaker bound by Hoeffding [Hoe63] is sometimes used for simplicity, 
which changes the upper bound in Eq. 3.41 to e~ 2 ^ n . 

Now we want to use this bound to show how a sample of size k com¬ 
municated from Alice to Bob can put a bound on the probability that the 
error ratio in the remaining n bits (A n ) is larger than the observed error 
ratio in the sampled k bits (A fc ). This probability is conditioned on the er¬ 
ror ratio being lower than a certain threshold. Formally, we want an upper 
bound to: 

Pr [A n > A k + y \ A k < A max ] , (3.42) 

where y is a small constant. Formally these error ratios are defined as 
A n := yjKf © Kg | and A k := ||©fCg|, where Alice’s key is split into the 
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set of k bits and n bits K A = K k K"; and \K A ©fCg| is the Hamming weight of 
the string K A ®Kg.' Bob’s key is divided along the same partition of k and 
n bits. 

Note that since the k bits will be communicated they should be sam¬ 
pled without replacement, which is in accordance with Lemma 3.3.4. The 
following bound on this probability is from [TLGR12], 

First, from Bayes’ theorem we can write 

r Pr fA„ > A fc + yl 

Pr [A n >A k + r \A k < A max < L n * ' J . (3.43) 

Pr [A k < A max ] 

If we define the ratio v = k/N then we can write the total error rate as: 

A = vA fc + (l-v)A n , (3.44) 

where A := ^ \K A ®K B | is the error ratio between Alice’s and Bob’s complete 
strings. Now we can bound 

Pr [A n > A k + y] = Pr [vA n > vA k + vy] (3.45) 

= Pr [A n > vA fc + (1 - v)A n + vy] (3.46) 

= Pr[A n >A + vy] (3.47) 

p fc 2 ” ,.2 

< e (fc+D~ r , (3.48) 

where in the last line we apply Serfling’s inequality (Lemma 3.3.4) and we 
use the definition that v = k/N. Eq. 3.43 can be written as 


g (k+l)N 1 

Pr [A n > A k + y \ A k < A max ] < - T - (3.49) 

Pr [A fc < A max J 

This inequality means that the probability that the error ratio on the rest 
of the key K n is larger than the error ratio on the smaller sample K k plus a 
small amount y, given that the protocol has an upper bound on the error 
rate on the sample k. However, what we really want is to upper bound 
the max-entropy to show that the protocol is secret, as we will show later 
(Section 3.4.2). 

We can use Eq. 3.49 to show an upper bound on the max-entropy 
[TLGR12], since from the definition of the max-entropy (Defn. 2.3.7) for 
classical random variables, the max-entropy is just the size of the support 
of the random variable (see Eq. 3.56 below). The problem we have at this 

7 The Hamming weight of a binary string X = (X 1 ,X 2 , ■ ■ ■ ,X n ) is defined as pf | := ©[X,-, 
i.e. the number of l’s inX. 
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point is that we only have a probabilistic bound on the number of errors, 
Eq. 3.49, and we need instead a fixed upper bound. 


To get to a fixed bound on the number of errors, consider the proba¬ 
bility distribution 


PK A K B A k &A,k B ,*-k) ■= W A = k a ,K B = k B ,A k = A k \A k < A max ]. (3.50) 


We can define another probability distribution 


Q-K A K B A k (k a ,k b , A k ) 


( 

P K a K b A^aAbAP) 

< Pr[A n <A fc +r|A fc <A max] 

0 


if A n < X k + y 
otherwise 


(3.51) 


We construct this distribution because under the distribution Q we know 
that A n < A k + y < A max +y with probability 1. This means that the number 
of errors on the n key bits, W := nA n , satisfies 


W< Ln(A max + y)J. (3.52) 

To bound the max-entropy, we need that P and Q are close with respect 
to the purified distance (Defn. B.3.7), which is true since the fidelity is 
bounded using Eq. 3.49: 


F(P,Q)= y/P(k A ,k B ,A k Mk A ,k B ,X k ) 

(3.53) 

hA B A k 


yi P(k A , k B , A fc ) 

(3.54) 

k A ,k B ,X k \J Pr [A n ^ + y\A k 5 A max ] 

K<^k+Y 


= V Pr [A n < Afc + y|A fc < A max ]. 

(3.55) 


Now we can use the definition of the conditional max-entropy for classical 
probability distributions: 

H max(. x \ Y )p = max log |suppP X |y = J , (3.56) 

where 5^ is the set of possible values for the distribution P Y and P XY is a 
probability distribution with marginal distribution P Y . This implies that 

Ln(A 

max +r)J f > 

h LJ k a\K b )p < H max (K A \K B ) Q < log £ 1), (3.57) 

w =0 ^ 7 

where e := e~^+m r /^/Vr[A k < A max ], In the first inequality we used 
the definition of the smooth max-entropy (Defn. 2.3.9). In the second 
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inequality we used the definition of the max-entropy for classical distribu¬ 
tions, Eq. 3.56. Since the distribution Q only has support for strings with 
X n < Afc + y < A max + T we just count how many strings of length n that 
have less than A max + y errors. 

We can end by using a technical result from Theorem 1.4.5 of [vL99] 
which gives the upper bound 

log 2 ( )<rcfr(A ma x + r)» (3-58) 

w=0 ' ' 

where /i(-) is the binary entropy function (Defn. 2.3.2). By combining 
Eq. 3.57 and Eq. 3.58 we get an upper bound for the max-entropy: 

H s max iK A \K B )p < nh(A 

max r). (3.59) 


Note that the number of random bits needed to choose k elements 
from IV elements is given by [~log (^)~| since there are (^) numbers of ways 
to do this. Therefore a string of ["log (^) "j bits of uniform randomness is 
needed to choose the set of k measurement outcomes (or basis-sifted mea¬ 
surement outcomes) that should be communicated for parameter estima¬ 
tion. 


If the size of the subset does not need to be fixed, then by picking each 
measurement outcome with probability k/N, the subset will approximately 
(and on expectation) be of size k. The number of bits of uniform random¬ 
ness that are required in this case are \Nh(k/N)], where fr(-) is the binary 
entropy function. Note that log (^) < Nh(k/N) (which can be proved using 
Sterling’s approximation) and so less randomness is needed by using the 
previous picking method. However, the difference between these methods 
is negligible for large N, which is a consequence of the method of types 
described in the next section. 

Now we have shown an upper bound to the max-entropy, Eq. 3.59, 
which can be used to show that the QKD protocol is correct (see Sec¬ 
tion 3.3.2). What still remains is to lower bound the min-entropy in order 
to show that the protocol is secret (see Section 3.3.1). The bound on the 
min-entropy is more dependent on the type of protocol than the bound on 
the max-entropy. Therefore, we discuss how this bound can be done in 
various scenarios in Section 3.4. One of these methods (see Section 3.4.2) 
will relate the max-entropy to the min-entropy to show that the protocol 
is secret. 
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Infinite-Key Parameter Estimation 

The finite-key parameter estimation estimation inequality (Eq. 3.59) 
can be taken in the limit of an infinite number of signals sent between Alice 
and Bob. In this limit, we can use the Quantum Asymptotic Equipartition 
Property (QAEP) (Theorem 2.3.12) to transform Eq. 3.59 into Eq. 3.60. 
However, we can also prove this result directly, without the need of the 
max-entropy or the QAEP. We include this proof in this section for com¬ 
pleteness. 

In the limit as the key has infinite length, the max-entropy approaches 
the von Neumann entropy, due to the QAEP. So in this case we only need to 
show an upper bound on H(K A \K B ). Since K A and K B are strings, H(K A \K B ) 
is the Shannon entropy. This entropy can be bounded by using the method 
of types [Csi98]. The method of types puts an upper bound on the entropy 
of H(K A \K B ) by the binary entropy function (Defn. 2.3.2). 

Lemma 3.3.5 (Error rate and entropy). Given two classical strings K A and 
K b then 

Kq)>H(K A \K B \ (3.60) 

where q is the error rate between K A and K B in the limit as the size, n, of the 
strings goes to infinity. The error rate is defined as 

q := lim q n := lim -, (3.61) 

n—> oo n—>oo 77 

where Kf and K" are the first n bits ofK A and K B respectively, and \ ■ \ denotes 
the Hamming weight (see Footnote 7). 


Proof. First, we prove that H(K A \K B ) < H(K A © K B ) from the definition of 
the conditional entropy: 


H(K a ®K b )>H(K a ®K b \K b ) 

= ^ p(k B )H(K A © k B \K B = k B ) 

h 

= Y J P(h)H(K A \K B =k b ) 

k-B 

= H(K a \K b ), 


(3.62) 

(3.63) 

(3.64) 

(3.65) 


where the first line comes from the data-processing inequality, and the 
third line comes from the fact that K A © k B has the same uncertainty as K A 
if k B is known. 
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Next, the method of types [Csi98] gives the following upper and lower 
bounds to the number of strings of length n with error rate q n , denoted as 


r T , n . 

In 


2 nh (<Zn) 

_ < 17 " I < 2 nh (<2n) 

n+l - ' In 1 - 


(3.66) 


Taking the log = log 2 of both sides and dividing by n, then taking the limit 
as n —» oo for the LHS gives: 

log(n + 1) , logl^h 


fr(q) = lim fr(q n ) < lim 

n—»oo n—>oo 

log it;I 


= lim 


n—>00 n 


For the RHS we get: 


lim 


log it; 


<2n' 


< 


n—>00 n 

Combining the two bounds, we have 

fr(q) = lim 


h(q). 


log it; 


<v 


(3.67) 

(3.68) 

(3.69) 

(3.70) 


71 —> 00 Jl 

Note that a uniform distribution U over a set with n elements has entropy 


S I 1 n 1 

-log - = - -log - = logn. 
n n n n 


(3.71) 


Now recall that |T g n | is the size of the set of the number of strings of length 
n with error rate q„. This means that log | T n | = H{U " ), where H{U ']) is the 

4n Hn 4n 

entropy of a uniform distribution on the support over all strings that have 
length n and error rate q„. Therefore, we have that H(K" © iC!) < H(U r '), 
since the maximum entropy occurs for a uniform distribution. Dividing 
this inequality by n and taking the limit as n —» oo, using log |T q n | = H(t/; ) 
and Eq. 3.65 gives the result: 

log IT" I 

H(lf A |lir B ) < lim -< lim -= h(q), (3.72) 

n—>oo fi n— >oo fj 

where we define the entropy in the asymptotic limit as H{K A © K B ) := 

lim,,-*,! lnH{Kl®K™). □ 


Now all that is left is to estimate the error rate q. This estimation 
can be done perfectly in the infinite-key limit, since Alice can tell Bob a 
small fraction of her infinitely-long string, which will also be infinitely- 
long. Bob then checks to see what their error rate is. Since their keys 
are infinitely long, they can get a perfect estimate on their error rate from 
Serfling’s inequality (Lemma 3.3.4). Alice and Bob can also estimate any 
other statistical quantity of their strings in this scenario since they have 
infinitely longs strings. 
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3.3.4 Tuning Parameters 

In this chapter so far we have defined security and used the classi¬ 
cal post-processing steps to reduce the problem of proving security via the 
trace distance between the states in the ideal protocol and the real proto¬ 
col to a lower bound on the min-entropy of Alice’s string conditioned on 
Eve’s state. We have also found we can upper bound the max-entropy of 
Alice’s string conditioned on Bob’s string using the number of errors of a 
random subset of their strings, which can be used for information recon¬ 
ciliation and can also put a bound on the min-entropy (see Section 3.4.2 
below). In the infinite-key limit these entropies are the von Neumann en¬ 
tropy of Alice’s string conditioned on Eve’s state and the Shannon entropy 
of Alice’s string conditioned on Bob’s string respectively. For each of the 
post-processing steps there are several parameters that can be varied. 

In privacy amplification using the leftover hashing lemma there is the 
size of the string output from the hash function t and the failure proba¬ 
bility e pa . In information reconciliation there is the failure probability of 
correcting the errors e ir . In parameter estimation there is the size of the 
sample k, the number of bits of Alice’s and Bob’s strings N, and the pa¬ 
rameter y. Depending on which family of hash functions are used; the 
explicit protocols used for privacy amplification and information reconcil¬ 
iation; and the parameters in parameter estimation, different bounds can 
be achieved for the security of the protocol. 

One of the challenges of proving security for a QKD protocol is to ana¬ 
lyze exactly what the bound is for the security and robustness. Since these 
bounds correspond to the failure probably of the protocol to be secure and 
robust, it is important to make sure that these are small enough. Typically, 
these should be small enough to be comparable to the failure probability of 
the devices used in the protocol, for example, of the order 10 -20 [Renl2b], 
Other security proofs use less stringent security parameters, such as 10 -10 
or 1CT 14 [TLGR12]. 8 

If the security parameter scales exponentially in terms of the number 
of signals sent (i.e. it is of the form 2~ cn for a constant c) then numbers 
of the order of 10 -6 - 10 -14 can be achieved. This scaling makes QKD 
efficiently scalable, so in order to increase the security parameter by an 
order of magnitude it only requires a linear increase in the number of 
signals sent. 

8 For comparison, the probability that a person is struck by lightning is of the order of 
10 -6 [BBC], and the probability of winning the top prize of the EuroMillions lottery is of 
the order of 10 -9 [eur]. 
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In addition to tuning the security parameters the error threshold must 
also be decided. Recall that if Alice and Bob see an error ratio or error rate 
beyond a certain threshold they should abort the protocol. This value is 
calculated as the highest error rate such that there is still a positive lower 
bound to the number of bits of key that can be extracted using privacy 
amplification. The calculation of the error threshold is dependent on the 
particular protocol and its security proof. 


3.4 Security Proof Methods 


There are many different ways to prove secrecy in QKD. While meth¬ 
ods started as specific techniques that were restricted to specific protocols, 
more general techniques exist today. However, the various techniques of 
proving secrecy in QKD are still highly dependant on the structure of the 
protocol and what kind of assumptions are made. The resulting security is 
then dependent on these assumptions. That is, if an experimentalist would 
like to use a security proof for a given experimental setup, they should be 
able to justify the assumptions that are made in the security proof. If they 
cannot be justified, then it leaves a security loophole: an attacker may 
exploit the devices or sub-protocols that do not behave according to the 
assumption made and break the security of the protocol. These kinds of 
attacks are called side-channel attacks. We will examine these in Chapter 4. 

Therefore, it is important to keep in mind that security is proved un¬ 
der certain assumptions. These assumptions can be grouped into what we 
call a model for the protocol. Many of the techniques for proving security 
apply to various models and so we list various classes that help identify 
which techniques apply to which models (Section 3.4.1). Note that almost 
all of the the classes of protocols listed below can use the classical post¬ 
processing steps outlined above in order to prove security because the clas¬ 
sical post-processing usually does not require any information about where 
the classical data comes from. 

When security proofs are presented in the literature, often there is a 
plot of a lower bound on the key rate that accompanies the proof. The key 
rate is the ratio of the number of bits of secure key that are extracted per 
signal sent. Plots are usually of the log of the key rate versus the error rate 
since the log of the key rate typically follows a linear dependence followed 
by an exponential drop off as the error rate increases. 

In the finite-key regime the number of bits of secure key is plotted 
against the number of signals sent with a fixed error rate instead. This 
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key rate asymptotically approaches the infinite-key regime’s key rate as 
the number of signals becomes very large. 

The lower bound on the key rate is a measure of how good a protocol 
is compared to others and ideally this bound is made as high as possible. 
The maximum for discrete protocols is upper bounded by the maximum 
amount of information that can be measured from the sent quantum states, 
called the Holevo bound [Hol73], There have also been investigations into 
the upper bounds of various key rates by analyzing particular attacks on 
protocols that Eve could do and plotting the resulting key rate as a function 
of the error ratio due to the attack. For example, there are upper bounds 
to the DPS [GSC09] and COW protocols [BGS08], as well as BB84 with 
different kinds of assumptions [MCL06a, MCL06b, CMM + 09]. 

Assumptions are also important for the interpretation of the upper 
and lower bounds on key rates. While comparing different security proofs 
it can be misleading to only compare their rates, as there may be a tradeoff 
between how many assumptions are made and the key rate. If many as¬ 
sumptions are made, then the key rate may be high but if less assumptions 
are made, the key rate may be lower. 

In order to clarify which assumptions are being made, we first list 
various properties of protocols, which we call protocol classes, in order to 
distinguish which proof techniques apply to which scenarios. 


3.4.1 QKD Protocol Classes 

One model class is whether security is proven in the device-dependent 
scenario or the device-independent scenario. The device-dependent sce¬ 
nario assumes that devices are characterized. For example, a measurement 
device may be described by a known set of POVM elements, or a source 
may output states of a particular form. On the other hand, the device¬ 
independent scenario does not make assumptions about the structure of 
the measurement devices. There is even another regime in-between these 
two in which some devices are characterized and some are not character¬ 
ized. We call this scenario the partially-device-independent scenario. 

Another class distinction is whether the protocol is run to produce an 
infinite key or a finite key. Sometimes a QKD protocol may be considered in 
the asymptotic case, where the protocol is run for an infinite time in order 
to produce an infinitely-long key. While this is not a practical assumption, 
it is helpful to consider it for several reasons. First, the asymptotic scenario 
usually simplifies the analysis, which makes it easier to show a protocol 
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is at least secure in principle. Second, it can be helpful to compare the 
asymptotic behaviour of various protocols to one another to see which is 
most efficient in the error rate. However, for a protocol to be secure for 
practical purposes it is important to consider the finite-key regime. 

Yet another distinction are the kinds of states which are used in the 
protocol, such as qubits, distributed phases, and continuous variables. The 
first two are described in finite-dimensional Hilbert spaces, while the third 
uses infinite-dimensional Hilbert spaces. For distributed phase protocols, a 
large global state that cannot be decomposed into qubits is sent from Alice 
to Bob. For example, information that Alice is trying to send to Bob can be 
encoded in the relative phase between a sequence of pulses. Continuous- 
variable protocols use squeezed or coherent states of light. Note that this 
distinction will be used to classify how the protocol, in principle, should 
be implemented and not whether the states are actually assumed to be 
implemented as intended. This assumption will be further discussed in 
Chapter 4. 

QKD protocols can also be broken down into protocols with a basis 
choice and those without one. A basis choice refers to whether the mea¬ 
surements and prepared states are decomposed into different bases or not. 
For example, a measurement device may not be passive, but it requires a 
random input to pick a basis for each measurement it performs (i.e. it is 
active). 

Protocols may have one of two structures: entanglement based or pre¬ 
pare and measure (P&M). Entanglement based protocols involve the prepa¬ 
ration of entangled states usually by an untrusted source, such as Eve, and 
Alice and Bob both do measurements on that state. A P&M protocol is one 
where states are prepared by Alice, she sends them through an insecure 
quantum channel, and the state is measured by Bob. There are other pro¬ 
tocols that do not follow this structure, though we do not consider them 
here. See Section 5.2 for two examples. 

Finally, Eve may attack the protocol either individually, collectively, or 
coherently (see Section 3.2.1). 

In summary there are seven classes we consider: the device class (de¬ 
pendent, independent, or partially independent), the key class (infinite or 
finite), the state class (qubits (or another finite-dimensional Hilbert space), 
distributed phase, and continuous variable), the basis class (basis choice or 
no basis choice), the measurement class (active or passive), the type class 
(entanglement based or P&M), and the attack class (individual, collective, 
or coherent). Note that three of the classes (device, key, and attack) are 
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dependent on the assumptions made, while the other four (state, basis, 
measurement, and type) refer to a protocol’s structure. 

We now divide the proof methods into the device-dependent and 
device-independent scenarios. The partially device-dependent scenario 
will be discussed with the device-dependent scenario. 


3.4.2 The Device-Dependent Scenario 

There are many different techniques used to prove security. Some 
only apply to a specific protocol, while other techniques are more generic. 
The first security proofs of QKD proved that the accessible information 
between Alice’s key and Eve’s information was small (see Section 3.2.2). 
However, since this is not a definition that is composable, we will only 
glance over the historical techniques that have been used to prove this 
kind of security. 


Historical Methods 

Many of the first proofs of QKD, which were for the BB84 protocol, 
exploited the specific structure of the states used in the protocol [LC99, 
SPOO, MayOl]. The idea behind the proof of [LC99] was to use quantum 
error correcting codes on the states sent from Alice to Bob. This proof was 
simplified in [SPOO] to show that the quantum error correcting code does 
not need to be implemented, since the error correcting code commutes 
with Bob’s measurement. Instead, he can use a classical error correcting 
code after his measurement. The proof of [MayOl] is quite involved, so 
we omit a discussion of its method here. 

These early proofs assumed the exact structure of the states and mea¬ 
surements performed (or quantum error correction, in the case of [LC99]). 
With more recent techniques, we can prove universally composable secu¬ 
rity and also relax the kinds of strict assumptions that were made in these 
early proofs. 


Current Methods 

A more recent proof technique is due to Devetak and Winter [DW05] . 
This proof technique applies to the infinite-key regime and for the case 
where Eve is restricted to collective attacks. The Devetak-Winter technique 
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gives an explicit expression for a lower bound on the key rate, r, given 
outcomes from Alice’s and Bob’s raw keys K A and K B , and Eve’s system 
before measuring, E. The bound on the rate is usually written as 

r>I(K A :K B )- X (_K A :E), (3.73) 

where %(K A : E) := H(E) - X^P^a)# ( £ I^a = k A ) (with p(k A ) is the prob¬ 
ability of Alice getting key k A ) is the Holevo quantity. The Holevo quantity 
is really just the mutual information of the CQ state shared between Alice 
and Eve, since p(k A )H(E\K A = k A ) = H(E\K A ) and H(E) - H(E\K A ) = 
I(K a : E). 


One way to prove security has been to exploit the explicit form of the 
protocol. For example, the entropy involving Eve’s system in the Holevo 
quantity can be reduced to quantities that only contain Alice and Bob’s 
quantum states or their measurement outcomes. 

If the state shared between Alice, Bob, and Eve is pure, then Eve 
has more power than if their state was mixed. This fact is due to the 
data-processing inequality. Since the partial trace is a CPTP map, Eve has 
more information if her system is a purification of Alice’s and Bob’s systems 
instead of an extension of their state that is not pure (see [Toml2] for the 
formal definition of an extension). 


Therefore, without loss of generality we can say that the shared state 
before measuring is p AB£ = |'T)('T|, which implies that H(AB) = H(£) (see 
Section 2.3.1). The second term in % can be estimated in a similar way if 
Alice’s measurement is a rank one POVM. If this is the case, then the state 
between Bob and Eve conditioned on Alice’s measurement outcome but 
before Bob and Eve measure is 

Pbe = P^ TrA(F ^ )<m (3 ’ 74) 

which is pure. To see that this state is pure, first note that if a normalized 
state, a = \4>){cj)\ is pure then Tr(cr 2 ) = \{4>\(j>)\ 2 = 1. Since F a a is rank one, 
we can write it as Using the cyclicity of the trace [NCOO], we 

get 

Tr((p^ £ ) 2 ) = ^-pTr (jr A (|<^)(<^|hE)(*|) 2 ) (3.75) 

= ^ Tr (( W ^ | * > ) 2 ) (3.76) 

= —^m<t> kA )(ci> kA m 2 = i. (3.77) 

Pr [K a Y 
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Since the state is pure, we can use the same trick as with the first term of 
% to get H(E\K a ) = H(B\K a ). Now the bound on the key rate can be written 
entirely with entropies involving Alice’s and Bob’s systems. 

Another way to use the Devetak-Winter rate, Eq. 3.73, is to not write 
it in term of a difference of mutual informations, but instead write it as 

r>H(K A \E)-H(K A \K B ). (3.78) 

In this form, the bound on the rate has an intuitive interpretation: the 
amount of key Alice and Bob can get is just the difference between the 
amount of uncertainty that Eve has about Alice’s key and the amount of 
uncertainty Bob has about Alice’s key. If Eve has more uncertainty than 
Bob then the rate may be positive, but if Eve has more information than 
Bob then the rate cannot be positive. 

Using the method of types (see Section 3.3.3) we can upper bound 
H(K a \K b ) using the binary entropy function of the error rate, h(q). 

Now we need to lower bound H(K A \E), which can be accomplished 
in a number of ways. If the state structure is assumed (e.g. if qubits are 
assumed to be used) then the symmetry in the given protocol can be ex¬ 
ploited to bound H(K a \E ). See [Ferl3, Ren05] for a detailed description of 
how symmetry can be used to prove security. If the dimensions of the states 
are assumed to be low then a brute-force search could be done through 
the Hilbert space to see which state gives Eve the most information that is 
compatible with a given error rate. 

If there is no assumption made about the structure of the states used 
in the protocol, then there is another technique: the uncertainty relation 
for entropies (Theorem 2.3.11). This uncertainty relation applies to the 
min- and max-entropy and therefore is relevant for the finite-key scenario. 
Using the QAEP this uncertainty relation can be used for the infinite-key 
scenario as well [BCC + 10]. This uncertainty relation is restricted to the 
case of entanglement-based protocols with two basis choices where one 
basis is used for the key, X, and one is used for parameter estimation, Z. 
This uncertainty relation puts a lower bound on the min-entropy of Alice’s 
string conditioned on Eve’s state: 


I E) > log - c - H^{K z a \B), (3.79) 

where c = max I Z is the overlap between two measurements 

F and G that Alice could perform on her system, n is the number of sig¬ 
nals sent and measured by Bob, B is Bob’s system before he measures, E 
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is Eve’s system, and K * and are Alice’s outcomes to these measure¬ 
ments. The lower bound can be simplified with the data-processing in¬ 
equality by using the fact that Bob’s measurement is in the same basis as 
Alice’s: H ( max (K^ \B) < H ^ ay (K%\K%). Then Alice and Bob need to estimate 
this quantity in parameter estimation. 

In order to use this uncertainty relation they need to have some as¬ 
sumptions about the measurements used in the protocol, namely that the 
overlap is known and each measurement is done independently (see Sec¬ 
tion 4.8). 

To see how the uncertainty relation can be used to prove security, it is 
useful to consider two thought experiments (sometimes also called by the 
German term gecLankenexperiment). The actual experiment has one basis 
chosen with probability p x and the other with probability p z = 1 - p x . The 
thought experiments are the same as the actual protocol, but while choos¬ 
ing the bases in the same way, it turns out that all of the measurements 
happen to be in the Z basis or all in the X basis. We call these thought ex¬ 
periments the Z-basis thought experiment and theX-basis thought exper¬ 
iment respectively. Let Alice’s and Bob’s strings from the Z-basis thought 
experiment be and Kf, respectively, while in the X-basis thought exper¬ 
iment they are K* and K*. 

Recall that in parameter estimation Alice and Bob will communicate a 
subset of their strings (denoted with the size of this subset, k ), from which 
they can estimate the max-entropy of their complete strings (denoted with 
N = n+k, where n is the size of the string that is not communicated). Alice 
and Bob can estimate the max-entropy of the Z-basis thought experiment, 
H' max (_K^ |Xg), using their communication of the subset k of their strings 
from the actual experiment (as in Section 3.3.3) since these signals were 
measured in the same basis. Then the uncertainty relation using this max- 
entropy puts a bound on H ^- n (K% |£) for the X-basis thought experiment. 

In the actual experiment Alice has used a fraction v = k/N of her 
string for parameter estimation so she really wants a lower bound on 
H' mm ((K*) n \E) from the actual experiment for the n bits she has kept to 
construct her key. There is a generalization of the data processing inequal¬ 
ity that relates this min-entropy to the min-entropy of the second thought 
experiment (Theorem 5.7 in [Toml2]) that gives us 

C3.80) 

This means that in the actual protocol H ( miri ((K*) n \E) is lower bounded. 

Note that Eve’s system also contains the classical information that 
is communicated through the authenticated classical channel, which also 
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needs to be taken into account in the security proof (see [TLGR12] for an 
example). 

In the infinite-key case Alice and Bob can get perfect statistics about 
their strings, and can therefore estimate H(K^|K|) perfectly using the 
method of types (see Lemma 3.3.5). 

The uncertainty relation has been used for security proofs of the BB84 
protocol and two two-way protocols (see Section 5.2) [TLGR12, BLMR13] . 
The uncertainty relation also has a continuous-variable version that can be 
used to prove security for CV QKD protocols [FAR11, FFB + 12, BCF + 13, 
FFB + 14, Furl4]. In addition, the uncertainty relation can be applied to 
P&M protocols as well as entanglement-based protocols by showing an 
equivalence between them (see Section 3.4.4 and Section 5.2). 

Most other techniques used to prove security of QKD to date exploit 
the structure of the states and/or measurements used in the protocol. As 
examples of security proofs that use these descriptions, the proofs of the 
B92 protocol [TKI03, TL04, Koa04, TLKB09], many of the early proofs 
of the BB84 protocol [LC99, May96, MayOl, SPOO, KP03, GLLP04, RK05, 
RGK05, KGR05], and the single-photon security proofs of the DPS and 
COW protocol [WTY09, WBC + 14]. This assumption about the state struc¬ 
ture makes it difficult to discuss a general strategy and so we omit the 
discussion of these kinds of techniques. 


3.4.3 Reductions 

Reductions in QKD protocols simplify the problem of proving security 
against any possible attack by an eavesdropper (i.e. coherent attacks) to a 
reduced class of attacks, e.g. collective attacks. These reductions require 
assumptions about the structure of the protocol. 

There are two known reductions that reduce coherent attacks to col¬ 
lective attacks: the exponential de Finetti theorem of Renner [Ren07, 
Ren05] and the post-selection technique [CKR09, RenlO], However, the 
exponential de Finetti theorem is less efficient than the post-selection tech¬ 
nique except for the infinite-key regime, where they produce the same re¬ 
sults. Therefore, we will focus primarily on the post-selection technique. 

These reductions apply to entanglement-based protocols. They as¬ 
sume that the quantum states in the protocol act on a fixed Hilbert space, 
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j£q, and that the protocol is permutation invariant. The first assumption 
means that each signal sent from Alice to Bob acts on so that the total 
Hilbert space for the whole run of the protocol with n signals is . This 
means that we are also assuming that Eve is restricted to sending Alice 
and Bob joint states in for each signal. The second assumption, that 
the protocol is permutation invariant, means that for any permutation n 
of the input states of the protocol there exists a CPTP map G n such that 
G n o g o n = 8 for the CPTP map 8 that represents the QKD protocol. A 
permutation on is defined by its action on pure tensor product states: 

n I0 x ) (8) \(t> 2 ) ® ® \4>n) = l^n-Ti)} ® l0n-!(2)> ® ® I0n-W> (3.81) 

where n _1 is the inverse of the permutation. The map G n can be thought 
of as undoing the permutation on the output of the protocol in order to 
make sure that the outputs of 8 and 8 on are the same. 

The de Finetti theorem [Ren07, Ren05] relates states to approximate 
de Finetti states, de Finetti states are convex combinations of product 
states cr® n defined as: 

r 

<j^ n dcr Q , (3.82) 

* 

where do-Q is a measure over the set of density operators on J^q. This 
measure can be thought of as a probability distribution over quantum 
states. The de Finetti state can be interpreted as the situation of picking a 
state according to the measure da Q and then the probability of getting a 
state in an e-Ball defined by a distance measure between quantum states 
(Defn. 2.3.8) is the same for all such balls with the same radius [RenlO], 
The norm used to define distance in this case is the Hilbert-Schmidt norm 
(Defn. B.3.3). We will now focus on the post-selection technique, instead 
of the de Finetti theorem. To see how the de Finetti theorem can be used 
for QKD, see [Ren07, Ren05], 


The Post-Selection Technique 

The post-selection technique is so named because a permutation in¬ 
variant state can be extracted from a fixed state by post-selecting on a 
particular measurement [CKR09] . This situation is used in the proof tech¬ 
nique but we do not discuss the proof of the post-selection technique here. 
In this section we will outline what the post-selection technique is and how 
it can be used in quantum cryptography. 

9 While the quantum stage of the protocol and parameter estimation need to be permu¬ 
tation invariant to use these reductions, we will show that information reconciliation and 
privacy amplification do not need to be permutation invariant. 
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Note that we can write the security criterion of a QKD protocol as 
a map acting on the initial shared state between Alice, Bob, and Eve. If 
we combine Alice’s and Bob’s systems into AB = Q and have £ and & be 
the maps representing the real protocol and the ideal protocol respectively, 
then the security definition (Defn. 3.2.4) can be written as 

A(<S’,^’)p Q „ := \\£ <8> id(pQn £ ) — & ® id(pQ"£)|li < e, (3.83) 

where pqn is the state of the protocol, n is the number of signals sent in 
the protocol, Pqr E is a purification of pqn, and E is Eve’s system before the 
classical post-processing. 

Now we can state the post-selection theorem as it applies to QKD. 

Theorem 3.4.1 (Post-selection theorem for QKD, Lemma 4 in [RenlO]). 
Let £ and & be any permutation invariant CPTP maps. Then for any p = pqr 

A(£,&) p <(fi + l)^ -1 A(<?,.^) T , (3.84) 

where d Q is the dimension of #€q and z = Zqn e S = {££® n ) is the de Finetti 
state for 

This theorem implies that instead of considering general states in the 
protocol, p, we can consider the de Finetti state z. Note the state z is a 

j2 I 

fixed state. Using this theorem adds a factor of (n + 1) q to the secu¬ 
rity parameter. However, the security parameter is usually exponentially 
dependent on the number of signals (i.e. e ~ 2~ cn for a constant c, see 
Section 3.3.4). This means that the polynomial factor does not change the 
security by much, since a logarithmic decrease (in the number of signals, 
n) in the final key length during privacy amplification can restore the same 
level of security as what would be possible without using this technique. 

The post-selection theorem can be shown to imply that Eve gets vir¬ 
tually no advantage to attacking permutation invariant protocols using co¬ 
herent attacks instead of collective attacks. It can be much easier to prove 
security of a QKD protocol by assuming that an i.i.d. state is used (of the 
form <T® n ), which is the case for collective attacks. In particular, security 
can usually be proved for all i.i.d. states, of which each state is in a fixed 
Hilbert space, This kind of proof implies that any convex combination 
of i.i.d. states must also be secure and therefore the de Finetti state must 
be secure. 

Note that for product states, Eve will hold a purification of each sub¬ 
system independently. However, the post-selection theorem applies to the 
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purification of the de Finetti state t, not to the purification of each sub¬ 
system independently. In [CKR09] the authors show that the purifying 
system of the de Finetti state t has a dimension that is polynomial in n 
(specifically, (n + l) d Q 1 ), which means that by doing polynomially more 
privacy amplification this extra information may be removed from Eve. 
Therefore to apply the post-selection technique together with the removal 
of the information Eve gets from her purification of the de Finetti state, 
2(d^ - l)log(n + 1) bits need to be removed in privacy amplification. 

The post-selection technique can be used in continuous-variable QKD 
as well [LGPRC13], though an analysis of this application is beyond the 
scope of this thesis. 


Post-Selection Example 

As an example of an application of the post-selection technique, con¬ 
sider the BB84 protocol in its entanglement-based implementation (see 
Section 3.4.4). First, we decompose the protocol into two parts. The first 
part of the protocol needs to be permutation invariant, while we show that 
the second part of the protocol does not necessarily need to be permutation 
invariant. Consider the quantum stage, sifting, and parameter estimation 
together as the first half of the protocol, := PE o Sift o F, where F is 
the quantum measurement. Then information reconciliation and privacy 
amplification will be the sub-protocol S 2 := PA° IR that follows 

To show that the BB84 protocol is permutation invariant, first consider 
<S’ 1 . We need to show that there exists a CPTP map G n such that Go 0 *?! 0 !! = 
<?! for any permutation n. Consider ^on for a fixed permutation IT 
Assume that Alice and Bob apply the permutation n to their systems and 
then measure their states in this permuted order. The permutation n will 
not need to be applied in an implementation of the protocol. We will 
only assume that Alice and Bob apply this permutation to argue that is 
permutation invariant. 

If we assume that the measurements on the quantum states of Alice 
and Bob are memoryless and identical (therefore their POVM elements are 
of the form F® M , where F is a measurement on an individual signal and M 
is the number of signals sent) then the permutation of the quantum states 
commutes with their measurements. 

The sifting step removes bits from Alice’s and Bob’s strings where they 
measured in different bases. The sifting also removes bits of Alice’s string 
where Bob did not get a measurement outcome. The sifting commutes 
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with the permutation since it removes bits independent of their position in 
Alice’s and Bob’s strings. 

We now know that 

PE o Sift o F® n o n = PE o n o Sift o (3.85) 

for any permutation n. We now need to argue that the permutation com¬ 
mutes with parameter estimation. 

Note that parameter estimation is just the choice of a random subset 
of Alice’s and Bob’s strings that are communicated through the authen¬ 
ticated classical channel and removed from their strings (as well as an 
estimation procedure based on this communication). This means we can 
decompose parameter estimation into three parts: a choice of a random 
subset, the removal of the subset, and the estimation. Formally, we have 
the decomposition 


PE = Estimation o Removal o Subset. (3.86) 


The choice of a random subset of Alice’s and Bob’s strings is equiv¬ 
alent to first applying a random permutation to Alice’s and Bob’s strings 
followed by the choice of the first k bits of the string for the sample and 
then the inverse of the permutation. However, the communication of the 
positions of Alice’s string will be different in PE compared to PE o n since 
the positions of the bits are permuted. However, a classical transforma¬ 
tion can be applied that undoes the permutation on the positions that are 
communicated. Formally, if the positions communicated in PE are ele¬ 
ments of a set {v 1 ,v 2 ,... ,v k } then in PE o n the positions communicated 
are {n(v 1 ), n(v 2 ),..., n(v fc )}. By applying the inverse permutation to each 
position, the original communication of PE can be recovered. Therefore, 
the choice of random subset is permutation invariant. 

The removal procedure is the removal of the randomly chosen subset 
from Alice’s and Bob’s strings, which is accomplished by communication 
of the subset from Alice to Bob (or vice versa). The bits that are removed 
are the same whether a permutation would be applied to Alice’s and Bob’s 
strings or not. Therefore, the removal procedure is permutation invariant. 

The estimation procedure uses the communicated subset to do esti¬ 
mation. The estimation is also independent of the ordering of Alice’s and 
Bob’s strings, and therefore is permutation invariant. 

In summary, the parameter estimation step is permutation invariant: 
G n o PE o n = PE, where G n is the inverse of the permutation n applied to 
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Alice’s and Bob’s strings as well as the inverse permutation applied to each 
position communicated. Combining this fact with Eq. 3.85 means that 
the first half to the protocol, is permutation invariant, under the as¬ 
sumption that the measurements are of the form F® M and that parameter 
estimation chooses a random subset of Alice’s and Bob’s strings. 

The above argument gives some insight as to why a random subset is 
chosen for parameter estimation; the random subset makes the protocol 
permutation invariant. If instead of a random subset a fixed subset was 
chosen, then S l would not be permutation invariant. 

We now focus on showing under which privacy amplification and in¬ 
formation reconciliation protocols the post-selection theorem applies. As¬ 
sume that information reconciliation and privacy amplification are permu¬ 
tation invariant, which defines a sub-protocol S' T If we assume that the 
output state shared by Alice and Eve after <§' 2 is invariant under a permuta¬ 
tion of the states input to S 1 then S' 2 ° <§\ is permutation invariant because 
the map G n that changes the communicated positions in parameter esti¬ 
mation commutes with <§ 2 . Then we can apply the post-selection theorem 
to <?2 ° <?!• If the protocol is secure, then Eq. 3.84 holds for the protocol 
$ — $2 o . 

We want to show that we can replace permutation invariant informa¬ 
tion reconciliation and privacy amplification with non-permutation invari¬ 
ant information reconciliation and privacy amplification with a small cost 
to the security parameter of the protocol. 

An example of a permutation invariant privacy amplification protocol 
is the one using hash functions described in Section 3.3.1 that goes with 
the leftover hashing lemma, Lemma 3.3.3. Recall that in the privacy ampli¬ 
fication procedure a random hash function from a family of hash functions 
is selected by Alice which is then communicated. Alice and Bob then ap¬ 
ply the hash function to their strings. If the family of hash functions & is 
taken to be the set of all linear functions from {0, l} n to {0, l} 1 , then for 
every permutation n and string K A e {0,1}", there exists a unique pair¬ 
ing of every function / e & to a function / e & such that f(K A ) = K' 
and f{.UK A U) = K'. Since each function is chosen with equal probability, 
the state shared by Alice and Eve with a permutation is the same as if a 
permutation was not applied. 

The communication of the hash function in PA o n can be made the 
same as PA by relabeling the hash functions. Since a pairing exists between 
the functions / of PA and the functions / of PA o n, a map can be applied 
to PA o n that relabels the function / as / if / is communicated by Alice 
to Bob. After the relabeling of the communication and since the state 
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shared by Alice and Eve is the same if the permutation was applied or not, 
there exists a permutation invariant privacy amplification protocol that 
commutes with the communication relabelling of G n . 

Since we know that the protocol S' 2 o g 1 is secure, this implies that 
the min-entropy must be at least a certain amount, otherwise there is no 
privacy amplification protocol that could succeed with at least probability 
e. Theorem 8.2 in [Toml2] says that if there is security at least e then the 
min-entropy before privacy amplification should be at least the size of the 
output string, l': 



(3.87) 


Since this bound is guaranteed, then we can apply another privacy am¬ 
plification procedure (such as leftover hashing) that is not permutation 
invariant using the fact that this min-entropy is at least l'. By applying the 
leftover hashing lemma (Lemma 3.3.3) using Eq. 3.87 the security state¬ 
ment is now 



(3.88) 


where l is the size of the output length of the string from the privacy 
amplification hash function. 

A similar argument can be used for information reconciliation as with 
privacy amplification to show that we do not need a permutation invariant 
information reconciliation protocol. As in Section 3.3.2, there are two pos¬ 
sible non-permutation invariant information reconciliation protocols that 
we can use. 

The first of the two information reconciliation protocols must be uni¬ 
versal so that it corrects errors for almost all strings that Alice and Bob 
could have. For example, an error correcting code exists in [RR12] that 
corrects all errors with probability at least 1 — e c , so the amount of com¬ 
munication necessary for Alice to send Bob to achieve this probability is at 
least 



(3.89) 


[RR12] (Theorem 8.1 of [Toml2], also see [RW05]). With this bound on 
the max-entropy, we can apply another error correcting code instead that 
is not permutation invariant, such as the same one we have already used. 
This gives a bound on the amount of communication of 


, 1 

C € E < c g Sc + 2 log-1- 4, 


(3.90) 
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where s' = J2e c — e c + e 2 is the upper bound on the failure probability 
of the error correcting code [RR12]. The specific security statement can 
be calculated using the amount of communication c € e and the probability 
that the error correction succeeds, s', by combining the chain rule Eq. 3.40 
and Eq. 3.88: 

A(<g’,J?) T < \/2e-e 2 + 2 “^' ~ eyi + e. (3.91) 

Using the post-selection theorem, the security parameter for all states p is 

A(<g’,i ? )p < (n + l) d Q _1 (V2f - e 2 + 2-W'-‘ ge '~V- 1 + . (3.92) 

The second type of non-permutation invariant information reconcilia¬ 
tion protocol is an error correcting code followed by a checking procedure 
as explained in Section 3.3.2. The checking procedure guarantees that we 
have corrected all of the errors with probability 1 — e cor with flog(l/e cor )l 
bits of communication and may increase the probability that the protocol 
aborts. The aborting probability, and hence the robustness, will depend on 
the particular choice of error correcting code. 

The length of the communication in error correction, |"log(l/e cor )], 
should be taken into account in the privacy amplification analysis by using 
the chain rule Eq. 3.40. Using Eq. 3.88 the security parameter is 

A(<S’,i f ) T < \J2s - e 2 + 2 -| (r -i lo ^ 1 / e cor)l-U-i + £ cor- (3.93) 

Combining this with the post-selection theorem, the security parameter for 
all states p is 

A(<g’,if) p < (n+l) d Q _1 ^t/ 2 £^e 2 + 2 _ i (f “ riog( 1 /£ cor)l-U-i + e cor ^ _ (3 94 ) 

For another example of using the post-selection technique to prove 
security of a QKD protocol, see [SLS10]. 

A further reduction may be applied to a security proof that assumes 
a product state cr® n by using representation theory and symmetries in the 
protocol. For example, the BB84 protocol is invariant under permutations 
of the states {10), |1), |+), |—)} to {|+), |—), |1), |0)}." These kinds of sym¬ 
metries imply that ctq should be of a simple form that can either be com¬ 
pletely fixed by the parameters in the protocol (such as the error rate) or 
only depend upon a few free parameters [Ren05] . If there are free param¬ 
eters in ctq then a minimization over the free parameters of the key rate 
can then be performed. 

10 For those familiar with the Bloch sphere, this symmetry is just a rotation by n/2 in the 
X — Z plane [NC00]. 
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3.4.4 Entanglement-Based and P&M Connection 

It can be useful to connect a P&M protocol with an entanglement 
based one, since some proof techniques require an entanglement based 
protocol (such as the uncertainty relation in Section 3.4.2). The connec¬ 
tion works by transforming the P&M protocol to an entanglement-based 
protocol that gives more power to Eve. 

In Section 1.2.2 it was shown that the BB84 P&M protocol can be re¬ 
lated to the Ekert entanglement-based protocol, but this connection was 
under the assumption that the protocols were ideal. However, this as¬ 
sumption can be relaxed to the assumption that the preparation of states 
are qubits (see Section 4.7). No assumptions need to be made about the 
measurements or other components in the protocol to make this connec¬ 
tion. 


Alternatively, Alice can just prepare a bipartite state (which ideally 
would be maximally entangled) and measure half of it. Depending on her 
measurement outcome, she will infer which quantum state she is sending 
to Bob. The protocol is then clearly entanglement-based, except Alice is 
preparing the state instead of Eve. Some proof techniques that charac¬ 
terize the states or dimensions of the protocol can assume that Alice’s pre¬ 
pared state is known, which may aid in proving security. If this assumption 
is not made then this protocol is more pessimistic if it assumes that the bi¬ 
partite state is prepared by Eve instead of Alice. If security is proved in 
the scenario where Eve prepares the state then it implies security for the 
protocol where Alice prepares the state. 

For different protocols it may be necessary to have more assumptions 
about the P&M protocol to transform it into an entanglement-based one, 
though this transformation will depend upon the security proof technique 
and structure of the protocol. See [BLMR13] for an example. 


3.4.5 The Device-Independent Scenario 

The proof methods used in the device-independent scenario are differ¬ 
ent than those used in the device-dependent scenario. These kinds of pro¬ 
tocols do not rely on the structure of the states or devices, they just try to 
establish that Alice and Bob have strong correlations between their states. 
Proving that strong correlations exist is a more challenging task since there 
is no symmetry that can be exploited in the protocol’s states, sources, or 
measurements. Intuitively, if these correlations are strong enough, by the 
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monogamy of entanglement Eve cannot have strong correlations with ei¬ 
ther Alice or Bob. The strength of the correlations is usually measured 
using the CHSH inequality [CHSH69] , though other inequalities have also 
been considered [HASH13], For more information about entangled states 
and strongly correlated quantum systems, see the recent review [BCP + 14] . 


The CHSH Inequality 


One way of determining if strong correlations are shared between Al¬ 
ice and Bob is to use the Clauser-Horne-Shimony-Holt (CHSH) inequality 
[CHSH69]. This inequality is a particular example of a Bell inequality 
[Bel64]. The CHSH inequality, when violated (i.e. when the inequality is 
false), indicates that the bipartite states involved must be correlated in a 
way that cannot be explained by using what is called a local hidden variable 
theory. This is a theory where there is a variable that describes properties 
of each particle locally. While classical systems can be described using 
a local hidden variable theory, there exist quantum states that cannot be 
described in this way. 

Also, there is a maximum violation that the inequality can reach by 
quantum states. In particular, the higher the violation is, the more corre¬ 
lated the states are. Just like we used an error rate in the device-dependent 
scenario, we can use an estimate of the amount of violation to quantify 
how much privacy amplification and information reconciliation is neces¬ 
sary. Since these steps only depend on classical strings, proving security in 
the device-independent setting can also be reduced to putting bounds on 
the relevant min- and max-entropies. 

The experiment in which the CHSH inequality applies involves two 
space-like separated measurement devices with two binary inputs and 
two binary outputs (see Fig. 3.2). It has been shown that quantum states 
can violate the CHSH inequality [FC72, AGR81, AGR82, ADR82, WJS+98, 
TBZG98, RKM+01, PBS+11, SSC+12, GMR+13, CMA+13], 

The CHSH experiment is usually presented either through expectation 
values of observables or as a game [CHTW04]. While these are both equiv¬ 
alent presentations, they may be helpful to understand how the CHSH 
inequality works depending whether one approaches the problem from a 
physics or computer science/mathematical point of view. 

n Two devices are space-like separated if they are outside each other’s light cones, so 
that performing a measurement in each device cannot send signals to the other. 
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Figure 3.2: The CHSH experiment. Alice and Bob measure a bipartite state |'F) 
by choosing the set of POVM elements {iq.} or {F y } uniformly at random. Alice 
and Bob get outcome 0 or outcome 1, which they can use to check the CHSH 

inequality, Eq. 3.96. 

• CHSH: Expectation Values. 

Alice and Bob each have a measurement device and are allowed to 
input bits x and y respectively to get outcomes a and b. We do not 
need to characterize the states that they share and input into the 
measurement devices, we will only care about the expectation val¬ 
ues for the two possible measurements they perform. If we define 
the observables that Alice and Bob measure as F x and F y respec¬ 
tively with eigenvalues {1, -1} then we can define the product of the 
expectation values as 



(3.95) 


This notation allows us to state the CHSH inequality as 


|E(0,0) + E( 0,1) + EC 1, 0) - EC 1,1))[ < 2, (3.96) 


where the upper bound of 2 refers to what is possible by local hidden 
variable theories. The maximum allowable quantum bound is 2\[2 
[Tsi80], 

• CHSH: Game. 

Alice and Bob each receive uniformly random binary inputs from 
a referee and have to send binary outputs back to the referee (see 
Fig. 3.3). Alice’s input is labelled as x and Bob’s input is labelled as 
y, while their outputs are labelled as a and b respectively. Alice and 
Bob can discuss a strategy before starting the game but then they are 
separated and they cannot communicate during the game. The goal 
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Referee 


Alice Bob 

Figure 3.3: The CHSH game. Alice and Bob get two uniformly random bits (x 
and y respectively) from a referee. Alice and Bob then have to send bits a and b 
back to the referee such that a © b = x A y. 

for Alice and Bob is to have a © b = x A y, that is, the binary sum 
of the inputs should equal the logical AND of their outputs. If their 
strategy is to share a joint physical state that has correlations that 
will give rise to the conditional probability distribution PAB\XY( a b\xy) 
then their probability of winning can be stated as 

Pr[win] = Z P X Y^y)P AB \xY^b\xy). (3.97) 

xyab 

a(Bb=xAy 

The maximum achievable success probability for this game where 
Alice and Bob only use classical states is P win < 3/4 = 0.75. It was 
shown by Tsirelson [Tsi80] that the maximum success probability 
where Alice and Bob use quantum states is Pr[win] < cos 2 (7t/8) rj 
0.85. 

For further information about the CHSH game and other related 
games, see the review [BCMdWIO]. 

In a device-independent QKD protocol Alice and Bob will have mea¬ 
surement devices that take inputs (which may, for example, ideally pick a 
basis). Typically Alice and Bob will input uniformly random binary inputs 
into their measurements. Then Alice and Bob can estimate the number of 
outputs that satisfy the CHSH condition a © b = x A y, called the CHSH 
violation. They share a subset of their outcomes and can use Serfling’s 
inequality (Lemma 3.3.4) to bound the total CHSH violation over the re¬ 
mainder of their measurement outcomes. 

In order to use the CHSH value to prove security, the following in¬ 
equality was used in a security proof for a device-independent QKD proto¬ 
col [W12], 
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Lemma 3.4.2 (CHSH inequality, Eq. A. 10 in [PAM + 10]). Given a condi¬ 
tional probability distribution q(a,b\x,y), a CHSH violation I, define c xy := 
{-1 if(x,y ) = (1,1), 1 otherwise}, d ah := {1 if a = b,— 1 if a b}, and the 
distribution 

q*(a,b\x,y) = max q(a,b\x,y), (3.98) 

a,b 

--^-V 

I! a,b,x,y d abC xy q(a, b\x,y) = I 
q(a,b\x,y) > 0 
X! a;i) q(a,b|x,y) = 1 

2 a q(a,fr|*,y) = <?( b ,y) 

'£ b q(a,b\x,y) = q(a,x) 
then the following inequality holds 

q*(a,b\x,y) (3.99) 

Note that the maximum in Eq. 3.98 is over probability distributions 
that result in the CHSH violation observed and that are non-signalling. 
Technically, the non-signalling condition is just the last two conditions in 
Eq. 3.98, and it means that Alice’s choice of input should not influence 
Bob’s measurement outcome and vice-versa. This fact is due to relativity: if 
Alice’s and Bob’s measurement devices are space-like separated, then they 
cannot influence each other. The maximum is taken over these probability 
distributions in order to show that the upper bound in Eq. 3.99 applies 
regardless of which probability distribution Alice and Bob actually have 
from their quantum states. 

Also note that Eq. 3.98 maximizes over probability distributions that 
are not necessarily allowed by quantum mechanics. For example, they may 
come from distributions that satisfy the no-signalling conditions and have 
CHSH value I, but can win the CHSH game by more than 85%. Therefore, 
the bound Eq. 3.99 may be too pessimistic, since it allows for distribu¬ 
tions that may never occur from Alice’s and Bob’s measurements. How¬ 
ever, Eq. 3.99 does show a bound even for distributions that come from 
measurements on quantum systems. It is not trivial to relate the optimal 
probability distribution q* to a distribution that comes from quantum sys¬ 
tems. 

In addition, Eq. 3.98 needs to be related to the min-entropy to prove 
secrecy, which is beyond the scope of this thesis but more information can 
be found in [PAM+10, W12], 


104 





3.5 Summary 


There are several different ideas that come together to prove security 
in this setting [ABG + 07, W12]. However, [W12] is currently the only 
protocol that is robust against noise and losses, and therefore there are no 
general techniques to date. 


3.5 Summary 


To conclude this chapter, we review each of the techniques discussed 
and under which QKD classes (Section 3.4.1) they apply to. We also list 
any classical uniform randomness and/or any communication necessary 
for the classical post-processing steps (Fig. 3.4). 

The privacy amplification step of the classical post-processing reduces 
the problem of proving secrecy of a QKD protocol to bounding the min- 
entropy of Alice’s string conditioned on Eve’s state. Information reconcil¬ 
iation reduces proving correctness of the protocol to performing an error 
correcting code followed by hashing to check that Alice’s and Bob’s strings 
are the same with high probability. Parameter estimation gives a way to 
estimate the number of errors between Alice’s and Bob’s strings as well 
as the max-entropy of Alice’s string conditioned on Bob’s string using the 
error rate (or CHSH violation) by having Alice and Bob communicate a 
small fraction of their strings. 

We discussed several reductions, such as reducing the Hilbert space 
of the quantum signals to a small fixed Hilbert space (the post-selection 
technique) and relating P&M protocols to entanglement based ones. Two 
methods of proving security are the Devetak-Winter rate in the infinite-key 
limit and an uncertainty relation, which bounds the min-entropy by the 
max-entropy. 

The details of the assumptions needed to apply security proofs to im¬ 
plementations will be analyzed in detail in Chapter 4. 
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'leak is any communication Alice sends to Bob that is correlated to her key. 
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Chapter 4 

Assumptions 


4.1 Introduction 


In this chapter we propose a framework that can be used to state as¬ 
sumptions in quantum key distribution and quantum cryptography in a 
clear and concise way We provide a detailed list of the kinds of assump¬ 
tions that are made in order to prove the security of QKD protocols and to 
connect the models under which security is proven with their implementa¬ 
tions. Many of the assumptions in this chapter were previously mentioned 
in [SK09]. 

Recall that in Chapter 1 we introduced several descriptions of proto¬ 
cols that were implemented in an idealized setting, which we called per¬ 
fect models (Sections 1.2.2,1.2.3, and 1.2.4). However, there are several 
gaps between the perfect models of QKD protocols and their actual exper¬ 
imental realizations. Any deviation from the model under which security 
is proven may leak information to Eve or allow Eve to exploit the devices 
to gain information. This leakage of information compromises the secu¬ 
rity of the protocol and could even make the protocol entirely insecure! 
Therefore, the assumptions made are crucially important to the security 
of the protocol. It is not enough to prove security for an idealized model; 
the model must also accurately describe an implementation, otherwise the 
implementation may not be secure. 

Whenever a model and the implementation disagree then Eve may 
employ side-channel attacks: Eve may attack the implementation in a way 
that is not accounted for in the model. 

We begin this chapter with a summary of the ways in which perfect 
models differ from implementations of QKD protocols. 
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• Lab Isolation. The models assume that Alice’s and Bob’s devices 
are completely isolated so that Eve cannot interact with them in any 
way However, since Alice and Bob need to input states and receive 
states from the quantum channel, they need to have some interface 
with the channel. If Eve can probe Alice’s and Bob’s devices through 
this interface then she may learn something about the measurement 
outcomes or prepared states. 

• Source states. The perfect models in Chapter 1 assume the prepa¬ 
ration of an exact state. In practice, however, states can only be 
prepared approximately. The actual prepared state may differ from 
the intended state in two ways. Either the prepared state is in the 
same Hilbert space but is not the intended state or the prepared state 
may be a superposition or mixture of the intended state with other 
states in other Hilbert spaces. The prepared state may also have a 
combination of these kinds of errors. 

• Measurements. Similarly to source states, when measurements are 
performed, they may not perform the exact POVM elements that are 
intended. In addition, they may also measure states outside of the 
Hilbert space the protocol is designed to measure in. Since the mea¬ 
surements may react to states outside of the intended Hilbert space, 
Eve can modify the states in the quantum channel to exploit the full 
Hilbert space available to her. 

Measurements may also give outcomes that are non-existent in the 
perfect protocol. For example, a measurement result could be output 
when there is no received signal. Conversely, there may be losses in 
the measurement device or in the quantum channel that result in no 
measurement outcome when a state was prepared. 

• Device calibration. Something that is not considered in the per¬ 
fect models is that the physical devices may need to be calibrated 
between Alice and Bob. For example, Alice and Bob may need to 
establish a shared reference frame before the QKD protocol, which 
may give Eve information about Alice’s and Bob’s devices. 

• Timing. In addition to the device calibration, Alice and Bob also 
need to agree on the timing of signals. For example, in a P&M pro¬ 
tocol when Alice sends states to Bob through the quantum channel, 
Bob needs to know which measurement results correspond to which 
sent states. Therefore, Alice and Bob also need to fix a timing so that 
sent states are associated with the correct measurement outcomes. 
In addition, Bob’s measurements are not performed instantaneously. 
His measurement has a finite measurement time, which Eve may 
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exploit. Also, some measurements have a “dead time” where the 
measurement device will not respond to incoming signals (see Sec¬ 
tion 4.5.4). 

• Classical post-processing. In the classical post-processing steps the 
estimation of the amount of information that Eve has from the quan¬ 
tum stage of the protocol from the communication sent in the au¬ 
thenticated public classical channel should be quantified. If this esti¬ 
mation does not incorporate deviations from the model used to prove 
security then the estimation may be inaccurate, resulting in leaking 
more information to Eve than what the security proof accounts for. 
Also, randomness is used for many parts of the protocol. This ran¬ 
domness should be true randomness (see Section 1.1.2), otherwise 
Eve may be able to make predictions about certain parts of the pro¬ 
tocol. 

To begin this chapter, we discuss the use of the term “unconditional” 
security (Section 4.2). Then we classify assumptions into four categories 
(Section 4.3). 

After these preliminary sections, we discuss assumptions in quantum 
cryptography and quantum key distribution that are general (Section 4.4), 
which includes the foundations of physics (Section 4.4.1), the isolation of 
Alice’s and Bob’s labs (Section 4.4.2), and the calibration of Alice’s and 
Bob’s devices (Section 4.4.3). Next, we introduce several physical devices 
and how they ideally behave (Section 4.5). As an example of implementa¬ 
tions we consider two implementations of the BB84 protocol (Section 4.6). 

Lastly, we discuss assumptions about sources (Section 4.7), measure¬ 
ments (Section 4.8), and classical post-processing (Section 4.9). 


4.2 “Unconditional” Security 


Before discussing the assumptions made in QKD and quantum cryp¬ 
tography, we discuss the term “unconditional security,” which is used in 
the literature to imply that a protocol is secure against general (coherent) 
attacks by Eve (see Section 3.4.1) [SK09]. However, the term “uncon¬ 
ditional” implies that the security is not conditioned on any assumptions 
or only relies on the fundamental assumption that quantum mechanics is 
complete (see Section 4.4.1). Clearly protocols are not “unconditionally” 
secure: there are many assumptions made about each of the components 
used in the protocol. As was pointed out in [SK09] the only part that has 
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no conditions is what we assume about Eve’s attack structure; we do make 
assumptions about Alice’s and Bob’s devices and subprotocols. 

There are other terms that do not have this confusion about assump¬ 
tions. One is just “security,” since security proofs always come with as¬ 
sumptions. Another term is “information-theoretic security,” which implies 
that security is proven using information theory, such as the security crite¬ 
ria in Section 3.2. 

Note that there are efforts to prove security under certain assumptions 
about Eve’s attack, such as if Eve’s memory is bounded [DFSS05], There 
are also security proofs that try to prove that a quantum protocol is se¬ 
cure against adversaries that can do attacks in a theory more general than 
quantum mechanics [BHK05, AGM06, Mas09, HR10, HanlO, HRW10]. 


4.3 Assumption Classes 


We decompose assumptions into four classes. The classification of 
assumptions we present can be used to discern how justified assumptions 
are and whether Eve can get an advantage from such assumptions. 

First, an assumption may be fundamental, which means that the as¬ 
sumption is assumed without any experimental verification. This assump¬ 
tion can be justified if it depends on foundational principles that are sup¬ 
ported by our current understanding of physics, such as that information 
cannot travel faster than the speed of light or that quantum mechanics is 
a correct theory (see Section 4.4.1). Fundamental assumptions may be 
unjustified if they are not even approximately correct. For example, it may 
be assumed that qubits are measured by Bob. If Eve is assumed to be able 
to do anything allowed by quantum mechanics and Bob does not check to 
see if he is getting qubits, then the assumption that Bob receives a qubit 
from her is unjustified and fundamental. 

Second, there are calibrated assumptions, which are approximately 
correct but cannot be guaranteed by an experiment. A device may approx¬ 
imate a model for the device, which can be checked with experiments but 
the experiments do not guarantee that this model will hold exactly in an 
implementation. For example, a measurement device may be constructed 
to approximate a particular POVM. The device may be tested to check that 
it approximately implements the desired POVM. However, if it is assumed 
that the device implements the model POVM then Eve may get an advan¬ 
tage from the deviation of the model from the implementation, even if the 
model is approximately correct. 
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Third, an assumption may be verifiable, which means that the as¬ 
sumption can be verified experimentally or a theoretical analysis implies 
that Eve cannot gain any advantage (or the amount of the advantage is 
known) due to the model deviating from the implementation. For exam¬ 
ple, it may be assumed that measurements satisfy a particular property 
that can be experimentally verified before the protocol begins. Verifiable 
assumptions may also be about the structure of the protocol. For example, 
a measurement may be assumed to have two basis choices. If the protocol 
is implemented with this construction then this assumption is justified. 

Fourth, there may be assumptions that can be justified by changing 
the implementation, such as adding a quantum device or modifying the 
classical post-processing, which we call satisfiable. The modification of the 
implementation may lead to the need for more assumptions about addi¬ 
tional devices or modifications. For example, it may be assumed that Eve 
does not send light into Bob’s measurement device that is beyond a certain 
intensity. This can be a satisfiable assumption if Bob monitors the intensity 
of the incoming light, which requires the addition of an intensity monitor. 
Further assumptions may be necessary about the intensity monitor, which 
may not be justified. 

The completely justifiable assumption classes that can be justified are 
verifiable assumptions, satisfiable assumptions that either require no fur¬ 
ther assumptions or assumptions that are justified, and some fundamental 
assumptions. Fundamental assumptions are either justified by the under¬ 
lying physical theory or they are completely unjustified and are only made 
so that the model where the security proof applies is the same as the imple¬ 
mentation, regardless of whether the implementation satisfies the assump¬ 
tion or not. Calibrated assumptions may be approximately justified, since 
the devices are approximately the same as their intended model. However, 
since Eve can exploit any deviation of Alice’s and Bob’s devices, it is not 
clear a priori how much of an advantage Eve gets from a calibrated de¬ 
vice that deviates from its model. This ambiguity makes the justification of 
calibrated assumptions unclear and the assumptions deserve further anal¬ 
ysis to determine the extent of Eve’s advantage. Satisfiable assumptions 
are justified by a modification of the protocol. However, the addition of 
other devices or modifications of the existing protocol usually requires fur¬ 
ther assumptions. Note that assumption classes other than satisfiable as¬ 
sumptions may be justified but they do not require a modification of the 
protocol. 

We will use the four classes (fundamental, calibrated, verifiable, and 
satisfiable) to classify the assumptions in this chapter. We begin the de¬ 
tailed discussion of assumptions with universal assumptions that are appli- 
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cable to almost all quantum-cryptography and quantum-key-distribution 
protocols. 


4.4 Universal Assumptions 

There are several basic assumptions that are made for almost all 
quantum-cryptography protocols. Here we outline foundational assump¬ 
tions about the underlying physical theory used to define models of the 
protocols, the isolation of Alice’s and Bob’s devices from any eavesdrop¬ 
per, and the calibration of Alice’s and Bob’s devices before performing a 
protocol. 

4.4.1 Foundational Assumptions 

Security of a quantum-cryptography protocol is usually proven with 
an adversary or dishonest party who is able to use any possible attack 
allowed by quantum physics. However, this assumption implicitly assumes 
that quantum physics is complete. 

A complete theory is one in which the predictions it makes about what 
is observable are the most accurate predictions possible by an experiment. 
Therefore, quantum mechanics is complete if it can make the best predic¬ 
tions about all possible measurement outcomes. This assumption implies 
that an adversary cannot get any more information about Alice’s and Bob’s 
keys in a QKD protocol than what is possible by quantum mechanics. 

It was shown that instead of directly assuming that quantum mechan¬ 
ics is complete, two other assumptions can be made: that the theory is 
correct and that free randomness exists [CR11, CR12b, CR12c]. 

A correct theory is one that makes accurate predictions about what 
is observable. Quantum mechanics is correct if the predictions it makes 
about measurement outcomes are accurate. The assumption that free ran¬ 
domness exists is that measurement choices (such as a basis choice) can 
be chosen independently of the measurement device itself. 

Therefore, a fundamental assumption we make for the security of 
QKD is that quantum mechanics is correct and free randomness exists, 
since these imply that quantum mechanics is complete. 

There are other models for the underlying physical theory that are 
used instead of quantum mechanics, for example, that a generalized prob¬ 
abilistic theory describes physical reality [BHK05, AGM06, Mas09, HR10, 
HanlO, HRW10], 
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4.4.2 Isolation of Labs 


Alice’s and Bob’s devices should be completely isolated from Eve. If 
Eve is able to get information from their devices directly then the protocol 
may be completely compromised. For example, in a P&M protocol, if Eve 
learns all of the measurement outcomes from Bob or knows what states 
were prepared by Alice in a P&M protocol then the protocol is completely 
insecure. 


There are a few known attacks of this type. For example, if Alice and 
Bob do the phase implementation of the BB84 protocol (see Section 4.6.2) 
then Eve can send states into Alice’s source via the quantum channel and 
learn the setting of Alice’s phase modulator [RGG + 98, SK09]. Therefore, 
for this attack on the BB84 protocol, the assumption that Alice’s lab is 
isolated is a satisfiable assumption, since Alice can monitor the intensity of 
incoming light from the quantum channel. If Alice detects incoming light 
then Alice and Bob would abort the protocol. 


Another example of an attack against lab isolation is in any protocol 
that uses threshold detectors for a measurement (see Section 4.5.4). When 
threshold detectors recover after a detection they can emit light which can 
leak out into the quantum channel. Eve can then collect this light and 
potentially learn which threshold detector clicked [KZMW01, SK09]. In 
this case, the isolation of Bob’s lab is a satisfiable assumption, since Bob can 
put a barrier between his measurement device and the quantum channel 
while his threshold detectors are recovering, so that any light would be 
blocked from leaking outside of his lab during his detector’s recovery. 


Yet another attack that violates lab isolation is for two-way QKD pro¬ 
tocols, where the two quantum channels (as in Figs. 5.1 and 5.2) are actu¬ 
ally the same quantum channel used in two directions. In this case, Alice 
is both sending and receiving states from the same quantum channel and 
therefore requires an open interface with the quantum channel. This in¬ 
terface allows Eve to send states into Alice’s lab to potentially determine 
how Alice prepared her states or what her measurement basis choice is. 


In general, the assumption that Alice’s and Bob’s labs are isolated is a 
fundamental assumption, because we assume that Eve cannot break into 
Alice or Bob’s lab and steal their measurement outcomes. 3 


^his comic (http://xkcd.com/538/) captures this idea. 
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4.4.3 Device Calibration 

There are two kinds of calibration that Alice and Bob can do before 
a quantum-cryptography protocol. First, Alice and Bob can calibrate their 
own devices so that they are working as they are intended. Second, Alice 
and Bob may need to perform a joint calibration that requires classical or 
quantum communication. The first kind of calibration can be done inside 
Alice’s and Bob’s isolated labs, and therefore under the assumption that 
their labs are isolated, no further assumptions are necessary about the 
calibration procedure. However, the second kind of calibration requires 
an interaction between Alice and Bob that Eve may interfere with. The 
calibration may leak information to Eve through Alice and Bob’s commu¬ 
nication and further assumptions may be necessary. 

As an example of the second kind of calibration in P&M protocols, 
Alice would like to prepare states such that Bob’s measurement can dis¬ 
tinguish them. Before the protocol starts, it is important that Alice and 
Bob calibrate their devices to optimize the correlations between Alice’s 
sent states and Bob’s measurement outcomes. In an entanglement based 
protocol, it is also important to calibrate both measurement devices so 
that Alice’s and Bob’s measurement results are as correlated as possible. 
For the polarization implementation of BB84 (see Section 4.6.1), what is 
defined as horizontal polarization for Alice is relative to a particular refer¬ 
ence frame. Therefore, Bob needs to calibrate his measurement so that he 
shares the same reference frame as Alice. 

The reference frame calibration procedure can be done before the 
QKD protocol. Alice can continually rotate her reference frame while send¬ 
ing many states to Bob and classically communicate through an authen¬ 
ticated channel which states she is sending. Bob can communicate his 
measurement outcomes to Alice. If Alice and Bob repeat this procedure 
for different angles then they can share approximately the same reference 
frame that will maximize their correlations for the run of the QKD proto¬ 
col. 


In addition to calibrating their reference frames, Alice and Bob need 
to agree on a timing of their signals so that Bob knows which states sent 
from Alice correspond to which measurement results. Note that Alice and 
Bob cannot just infer this correspondence from the order of the measure¬ 
ment outcomes and sent states during a run of the QKD protocol since 
some states may be lost between Alice and Bob due to losses (or Eve). 
Since the signals will be sent in rapid succession, it is important that Alice 
and Bob have accurate clocks so that they know which sent states corre¬ 
spond to which measurement outcomes during the protocol. Alice and Bob 
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can synchronize their clocks by using a trusted third party. Alternatively, 
there are classical protocols that can be used to synchronize clocks with¬ 
out the need of a third party. Once their clocks are synchronized, Alice 
and Bob can also test to see how long it takes for Alice’s states to reach 
Bob. Then, throughout the QKD protocol Alice can communicate through 
the classical authenticated channel to Bob when she sent her states so that 
Bob knows which measurement outcomes correspond to which of Alice’s 
states. 

The assumptions required for the model to match the implementation 
are dependent on the calibration method. For example, it is important that 
Alice communicates to Bob during the protocol only through the authen¬ 
ticated classical channel for timing calibration, otherwise Eve may send 
incorrect timing information to Bob, which could give her an advantage 
[JWL + 11], It may also be necessary to make a fundamental assumption 
that a third party is trustworthy to synchronize their clocks. 

Reference frame calibration may be avoided if a QKD protocol is used 
that does not need this calibration [SLS10, LWL + 14a], 


4.5 Devices for Quantum-Cryptography 
Implementations 


The universal assumptions that apply to most quantum-cryptography 
and QKD protocols have now been discussed. Now we go into the details 
of specific devices used in QKD. Afterward, we present two examples of 
implementations of the BB84 protocol that use these devices (Section 4.6), 
followed by assumptions about the devices used in QKD and quantum- 
cryptography protocols. 

We will not go into the full details of the physics that describe the 
devices used for quantum cryptography, though this is an interesting en¬ 
deavour in its own right. Instead we will describe these devices with their 
ideal descriptions and how they can be modelled. In later sections we 
will describe how they may deviate from these models, which has conse¬ 
quences for the assumptions made in QKD protocols. Further details on 
how these optical devices work can be found in a quantum optics book, 
such as [LouOO] . 

We focus on devices used in discrete-variable and device-independent 
protocols, such as attenuated lasers (Section 4.5.1), parametric down- 
conversion (Section 4.5.2), beamsplitters (Section 4.5.3), threshold detec¬ 
tors (Section 4.5.4), and Mach-Zehnder interferometers (Section 4.5.5). 
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4.5.1 Weak Laser 

Ideally we would like a source of single particles to encode the states 
used in discrete P&M QKD protocols. Typically photons are used since they 
can be easily transmitted either through fibre-optic cables or through free 
space (e.g. the atmosphere or space). However, current technology does 
not allow single photons to be produced on demand. Usually coherent 
states are used instead (see Eq. 1.12). 

One source of photons is a laser that produces coherent states. Co¬ 
herent states are an approximation of the state a laser produces. This 
approximation requires the power given to the laser to be well over a cer¬ 
tain threshold and requires a laser designed to produce single modes (i.e. a 
single frequency of light) [LouOO] . The phase of the produced states may 
also give information to Eve and should be taken into account (see Sec¬ 
tion 4.7.1). 

A laser can be given power for a short time to produce coherent states 
localized in a small spatial region followed by an attenuator (i.e. a de¬ 
vice that reduces the light’s power). After the attenuator the state will 
be a coherent state with a low average photon number and a short spa¬ 
tial (or equivalently, temporal) width [RHR + 07]. The spacial width is the 
wave function’s spatial degree of freedom. The probability of measuring 
the photon at a particular time after its production is approximately dis¬ 
tributed according to a Gaussian distribution [LouOO] . 

The values of the average photon number used for QKD are typically 
less than one photon per pulse [SBPC + 08]. 


4.5.2 Parametric Down-Conversion 

Another way to produce photons is to use a process called parametric 
down-conversion (PDC). This process is performed by shining a laser con¬ 
tinuously at a particular type of non-linear crystal. This crystal takes one 
state of light in a single mode (i.e. a single frequency) and decomposes it 
into two states, each with half the frequency of the initial state. They also 
spread out in two spatial directions such that momentum is conserved. To 
conserve photon number, the average photon number of the initial pulse 
will be split such that the sum of the average photon numbers of each out¬ 
put pulse is equal to the average photon number of the initial laser light. 
While most of the laser light goes through the crystal without interacting 
with it, sometimes the state will be split into these two pulses. The two 
outputs from the crystal are called the signal and the idler. 


116 



4.5 Devices for Quantum-Cryptography Implementations 


These two output pulses can be used as a source for entangled pho¬ 
tons. The two pulses will have orthogonal polarization (which we denote 
with H and V, see Section 4.6.1) and are spatially distributed in two in¬ 
tersecting circles. At the intersection of these two circles the polarization 
of the output is ambiguous. Along these spacial modes the output is the 
maximally entangled pure state 


I ip) = 


a) | - a) + [ - a) \ a) 

7 ^ 


(4.1) 


where | xp) is in the Hilbert space of the polarization in the two spatial 
modes. Therefore, PDC can be used as a source of entangled bipartite 
states. 


To produce single states from this process, a measurement device can 
be placed before the spatial location of the idler and whenever the mea¬ 
surement reveals that there is a signal then it is known that a signal state is 
present (see Section 4.5.4 for the details of this measurement device). This 
kind of source, where a measurement indicates when a state is prepared, 
is called a heralded source. 


There are other sources other than weak laser pulses and parametric 
down conversion, such as Nitrogen vacancies in diamond and quantum 
dots (see [ABP + 14] and [HHW + 13] for recent experiments that use these 
sources). 


4.5.3 Beamsplitters 


A beamsplitter is a simple optical device that takes two input modes 
and has two output modes (see Fig. 4.1). A beamsplitter can be modelled 
as a matrix acting on the creation operators for the two input modes: 





(4.2) 


where T and R are the transmissivity and reflectivity of the beamsplitter 
respectively. They satisfy |R| 2 + |T| 2 = 1 and RT* + TR* = 0 [LouOO] . 


A particular example of a beamsplitter is a 50:50 beamsplitter, where 
R = i/V 2 and T = l//2. 


Consider a single photon in a single mode input into arm 1 to a 50:50 
beamsplitter while the input into arm 2 is the vacuum. In this case the 
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a 


4 



a 


2 


Figure 4.1: A beamsplitter. It takes input modes aj and a' 2 to output modes a 2 

and a' 4 according to Eq. 4.2. 

output is given by (|1) 3 + i|l) 4 )/-/2. This means that the photon is in a su¬ 
perposition of being transmitted through the beamsplitter or was reflected 
by the beamsplitter and acquiring a phase of n/2 (since e l7I//2 = i). 

Another example is if a coherent state, |a), is input to a 50:50 beam¬ 
splitter in arm 1 and the vacuum is input to arm 2. In this case the output 
is 



(4.3) 


(4.4) 



(4.5) 


This state is a coherent state that is distributed over the two output modes 
with a superposition of different possible photons in each output mode. 

Another kind of beamsplitter is a polarizing beamsplitter (see Sec¬ 
tion 4.6.1 for the details of polarization). Polarizing beamsplitters can 
separate two orthogonal polarization states into its two outputs. For ex¬ 
ample, if horizontally polarized light is sent into one arm then it is always 
transmitted and if vertically polarized light is sent into the same arm then 
it is always reflected. 

4.5.4 Threshold Detectors 

A threshold detector is a measurement that gives an output, click, 
when it measures one or more photons and otherwise it outputs no click. 
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Formally, its POVM elements are the projection onto [0)(0| (the vacuum) 
and l n )( n l (one or tnore photons). This kind of measurement can 
be implemented in various ways. Here we present an implementation 
of threshold detectors: avalanche photodiodes (see [DDY + 09, YSD + 10, 
PDS + 12, KBS + 14] for experiments characterizing these devices). 

Avalanche photodiodes are made out of a semiconductor material 
(such as indium gallium arsenide, InGaAs) that has an electric field ap¬ 
plied to it [RS02] . These detectors exploit the photoelectric effect so that 
an incident photon excites an electron in the semiconductor. Since an elec¬ 
tric field is applied, the electron has enough energy to excite one or more 
electrons, which can excite further electrons, which go on to excite more 
electrons, leading to an avalanche of excited electrons. If many electrons 
are excited then a current can be measured, indicating that at least one 
photon hit the detector. 

The avalanche is a random process that depends on the strength of 
the electric field. However, if an electron absorbs energy from the semicon¬ 
ductor (i.e. a phonon) then an avalanche can occur without any incident 
photons. These events are called dark counts. The stronger the electric 
field, the more likely it is that dark counts will occur. 

Conversely, the photon may excite an electron, but if too few electrons 
are excited then there is no avalanche, so no current will be registered. 
Therefore, the weaker the electric field, the more likely that a photon will 
not induce an avalanche, resulting in loss. Therefore, by changing the 
strength of the electric field there is a tradeoff between the probability of 
dark counts and the efficiency of the detector. In addition, the photon may 
not be absorbed by the material but may be reflected or pass through the 
material, which also results in loss. 

After the avalanche, the semiconductor needs to have all of its elec¬ 
trons return to their unexcited state by turning the electric field off. The 
time it takes for the electrons to return to their unexcited state is called 
the recovery time or dead time (since the threshold detector cannot make 
a measurement when it is recovering). Sometimes there will also be after 
pulses, when the energy from a relaxing electron causes the excitation of 
further electrons, resulting in a second avalanche causing a second click 
event (see Section 4.8.3). 

Avalanche photodiodes also have a limited temporal resolution; from 
the time when a photon first starts an avalanche to the recovery of the 
detector, more photons may hit the material. This means that the detector 
is an integrated measurement: if a current is detected then one or more 
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photons hit the detector in the time period designated for each detection 
event. 

The quality of an avalanche photodiode primarily consists of three 
things: the probability of dark counts in a given time frame, the recovery 
time, and the efficiency Typically, the efficiency is quite low for avalanche 
photodiodes at room temperature [CFL + 14]. However, by decreasing the 
temperature the efficiency can increase dramatically, but the recovery time 
is extended due to the increased probability of after pulses, since it requires 
less energy to cause an after pulse at lower temperatures. 

There are also efforts to use different kinds of single photon detectors 
at low temperatures, called superconducting single-photon detectors, as 
an alternative to avalanche photodiodes. Superconducting single-photon 
detectors have a higher efficiency and lower dark count rates due to less 
energy available to excite the system (see [CPG + 14, SHS14] as examples 
of recent experiments). For a comparison of the performance of these 
detectors compared to avalanche photodiodes, see [SBPC + 08] 


4.5.5 Mach-Zehnder Interferometers 


A Mach-Zehnder interferometer is a particular arrangement of beam¬ 
splitters and mirrors, which can be followed by threshold detectors (see 
Fig. 4.2 and see [MDS + 14] for a recent experiment). Here we describe 
an unbalanced interferometer that can be used to measure the relative 
phase between two pulses, as is necessary for the COW and DPS protocols 
(see Section 1.2.2), as well as one implementation of the BB84 protocol 
(Section 4.6.2). The mirrors in the Mach-Zehnder interferometer can be 
thought of as a beamsplitter with reflectivity i and transmissivity 0. 


As an example of the use of a Mach-Zehnder interferometer, consider 
a single photon distributed over two pulses separated by a distance equal 
to the relative distance between two arms of the Mach-Zehnder interfer¬ 
ometer. If the two pulses have a relative phase of 0 <e [0,27i) then the state 
before the Mach-Zehnder interferometer is 


|t) + e^|t + l) 


(4.6) 


where |t) denotes a photon at time slot t of the first pulse and |t + 1) 
denotes a photon at the time slot of the second pulse. After the first beam¬ 
splitter, which has vacuum as the second input, we can use the relation 
Eq. 4.2 for a 50:50 beamsplitter to find that the state is 

\t,S)-i\t,L) + e i(l> \t + l,S}-ie i *\t + l,L) 
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Figure 4.2: An unbalanced Mach-Zehnder interferometer measurement. It is 
composed of two 50:50 beamsplitters and two mirrors on the long arm followed 
by two threshold detectors. Two pulses separated by a distance equal to the 
length difference between the two paths in the interferometer will have their 
relative phase measured with probability 1/2. At time slot t, if threshold 
detector D 0 clicks then the relative phase was at an angle of 0 and if threshold 
detector D : clicks then the relative phase was at an angle of n. If a measurement 
result occurs at time slot t — 1 or t + 1 then the relative phase is unknown. 

where |t,S) denotes a photon at time slot t in the short arm of the inter¬ 
ferometer and |t, L) is a photon at time slot t in the long arm. After the 
delay in the long arm and the reflections on the two mirrors, but before 
the second beamsplitter, the state is 



(4.8) 


2 


After the second beamsplitter the state becomes 



(4.9) 


where |0) is a photon at threshold detector D 0 and |1) is a photon at thresh¬ 
old detector D 1 (see Fig. 4.2). If we condition on getting an outcome at 
time slot t and if </> = 0 then only detector D 0 can click. If </> = n then 
only detector ft, can click. This means that the relative phase between 
two pulses can be measured with certainty if </> se {0, n}. However, with 
probability 1/2, either detector can click at time slot t - 1 or t + 1, where 
either D 0 or £>, will click with equal probability. 

The POVM elements that describe a perfect Mach-Zehnder interfer- 
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ometer with a detection at time slot t are the projections onto the states 


|t) + |t-l> |t) - |t - 1> 

72 ’ 72 


(4.10) 


for Dq and D 1 respectively. 

A phase modulator can be added on one arm of the Mach-Zehnder in¬ 
terferometer so that it can distinguish the relative phase between different 
phases other than 0 and n. The next section describes a phase modulator. 


4.5.6 Other Devices 

There are some other devices that are used in quantum-cryptography 
and QKD implementations, such as polarizers and phase modulators. 

A polarizer is a filter that only allows output light to be of a particular 
fixed polarization. Polarization is a degree of freedom of a photon that 
represents the relative phase between the oscillating magnetic and electric 
fields of the photon [ST91]. If they are in phase then the photon may be 
linearly polarized either horizontally or vertically, relative to some refer¬ 
ence frame (see Section 4.6.1). If they are out of phase (e.g. there is a 
relative phase of n/2) then the polarization can be either left or right cir¬ 
cularly polarized. Polarization can be thought of as the orientation of the 
combination of the waves while looking in the plane perpendicular to the 
direction of movement of the photon. From this view, the linear polariza¬ 
tion is a line, while the circular polarization is a rotation around a circle 
(either clockwise or anti-clockwise). There is also elliptically polarized 
light, which is a superposition of circular and linear polarization. 

There are two polarizers of interest: linear polarizers, which output 
linearly polarized light, and circular polarizers, which output circularly po¬ 
larized light. They are constructed from materials which are birefringent, 
which means that light has a different speed of travel depending on the 
its polarization. The result is that the light that is transmitted through the 
material has the desired polarization. 

Two polarizers of interest can be constructed from half- and quarter- 
wave plates. Wave plates are birefringent materials that are chosen to have 
a thickness that induces a desired polarization. Half-wave plates induce a 
relative phase of n, while quarter-wave plates induce a relative phase of 
n/2. Also, there are materials which change their birefringence depending 
on an electric field that is applied to the material. This process is called the 
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Kerr effect, which can be used to change the polarization filter on demand 
[ST91] . 

Phase modulators manipulate the relative phase between two pulses. 
For most QKD purposes, this phase modulation should only induce a short 
delay in the propagating light that is of the order of the light’s wavelength. 

Both polarizers and phase modulators have a loss associated with 
them, which should be taken into account in implementations of quantum- 
cryptography protocols (for example, see [FNL12]). 


4.5.7 Channel Models 

Recall that for the robustness of the protocol the probability that the 
protocol aborts when there is no eavesdropper should be known (see Sec¬ 
tion 3.2.8). This probability is typically found by assuming a model for the 
quantum channel between Alice and Bob, as well as a model for Alice’s 
and Bob’s devices. Given these models, the probability that the protocol 
aborts can be calculated. 

A typical model for the quantum channel is a depolarizing channel. It 
can be described as 

1 

p^pp + (l-p)-, (4.11) 

a 

for p e Pif, d is the dimension of Pif, and p is a probability. Usually in 
QKD Bob does a measurement to try to distinguish two or more quantum 
states, p ; . With probability p he will get p ; so he can distinguish these 
states (conditioned on him measuring in the correct basis, for protocols 
with a basis choice) and with probability 1 - p he will get a maximally 
mixed state, so he gets each of his measurement outcomes with probability 
Tr(F, /d), for a POVM with POVM elements {F,}. For many of the protocols 
in Section 1.2.2, Tr(F ; ) is the same for all i and therefore the probability of 
getting an error is the same for all measurement outcomes. 

If errors are seen to be equally likely, regardless of the measurement 
outcome, then the channel can be modelled as a depolarizing channel. 
Therefore, this is a calibrated assumption that the channel is depolarizing, 
since the errors are usually only approximately equally likely. 

Channels also have losses. The loss is characterized in units of dB/km, 
which is the log of the ratio of the power (of a classical optical signal) 
between the input and output signals, times ten, per kilometre. The lowest 
loss fibre-optic cables possible with current technology have a loss of 0.17 
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dB/km, which means that the power decreases to ~ 96% of the input 
power over one kilometre of fibre [ST91] . 

The loss in a quantum channel can be modelled as a beamsplitter 
that takes the input state as one input and the vacuum as its other input. 
The output of the channel is the transmission output of the beamsplitter 
and the other output of the beamsplitter is lost to the environment (which 
we can assume Eve gets). The loss can be modelled this way because, 
typically, the losses do not depend on the state of the system and are just 
probabilistic: a photon is transmitted through the channel or lost to the en¬ 
vironment regardless of the photon’s state [SBPC + 08]. However, it should 
be taken into account that Eve can control when losses occur and she may 
perform attacks where the loss may depend upon the state sent through 
the channel. 


4.6 Implementations of BB84 


Two practical examples we use to discuss assumptions about the de¬ 
vices used in QKD protocols are implementations of the BB84 protocol. We 
will describe the kinds of devices that are used in these implementations. 
For the perfect description of the BB84 protocol, see Section 1.2.2. 

One implementation uses free space (e.g. the atmosphere or space) 
to transmit photons that encode the qubits that Alice wants to send Bob 
in the polarization degree of freedom of the photon (see [ECLW08] for 
an experiment). Since polarization of an individual photon is a two level 
system, polarization is an ideal property to use for the qubit of the BB84 
protocol. 

In fibre optics, a photon with a particular polarization undergoes po¬ 
larization drift. Due to imperfections in the cable and in the environment 
(such as temperature differences) the polarization can be transformed as 
the photon goes through the fibre due to birefringence (see Section 4.5.6). 
Over time scales smaller than the time it takes to perform the quantum 
stage of the protocol this polarization drift can change, which makes it dif¬ 
ficult to use polarization to transmit quantum data. In this case another 
implementation of BB84 can be used that encodes information in the rela¬ 
tive phase of two pulses made from one photon. This encoding is similar 
to the distributed phase protocols DPS and COW (see Section 1.2.2). 
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4.6.1 Polarization BB84 

The polarization of photons can be used to store quantum information 
(see Section 4.5.6). Linearly and circularly polarized light form three bases 
of a qubit Hilbert space, and the polarization implementation of BB84 uses 
two of these three qubit spaces. The three possible bases are horizon¬ 
tal and vertical polarization {H,V}, diagonal linear polarization {D + ,D_} 
(where D + = (H + V)/V2 and D_ = [H — V)/VZ) , and circular polarization 
{R,L} (where R = (H + iV)/V2 and L = {H — iV)/VZ). We can correspond 
the states in the BB84, SARG04, and six-state protocol with the polariza¬ 
tion space, where H = 10), V = 11), D + = |+), D_ = |—), R = | i), and 
L = | — i). Here we consider the implementation of the BB84 protocol that 
uses the {H,V} basis and the {D + ,D_} basis. 

Now we can implement the BB84 protocol as follows [BBB + 92] (see 
Fig. 4.3). The preparation of photons can be done by using a weak co¬ 
herent laser pulse followed by a polarizer to set the polarization of the 
photons. For the measurement, Bob can use a polarizing beamsplitter, 
which separates two orthogonal polarization states. For example, one out¬ 
put of the polarizing beamsplitter could be H and the other would then 
be V. Bob can place threshold detectors after each output of the polariz¬ 
ing beamsplitter to measure whether his state was H or V. To measure in 
the other basis, he may actively control a polarization rotator before his 
polarizing beamsplitter so that he can measure D + and D_ instead (see 
Fig. 4.3a). 

Bob can also do his measurement in a passive way, so he does not have 
to control the orientation of his polarizing beamsplitter (see Fig. 4.3b). 
First, he can put a 50:50 beamsplitter, which at one output has a polar¬ 
izing beamsplitter and threshold detectors to measure in the H/V basis, 
while the other output of the 50:50 beamsplitter has a polarizing beam¬ 
splitter and threshold detectors to measure in the D + /D_ basis. The 50:50 
beamsplitter simulates the basis choice and Bob does not need to actively 
control his measurement device. 


4.6.2 Phase BB84 

In the phase implementation of BB84, the states {|0), |1), |+), |—)} are 
represented as the relative phase between two pulses from a single pho¬ 
ton [ERTM92] (see Fig. 4.4). Alice can prepare a weak coherent laser 
pulse and input it into a 50:50 beamsplitter. Each arm of the beamsplit¬ 
ter has a different length and they will be recombined. On one arm of the 
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Alice Bob 



(a) The polarization implementation of the BB84 protocol with an active basis 
choice. Alice prepares states using a laser source of coherent states that go into a 
polarizer to produce H,V,D + , or D_. Bob measures H and V by leaving the 
polarization the same by separating them using a polarizing beamsplitter (PBS) 
followed by two threshold detectors. Bob can measure D + and D_ by applying a 
polarization rotator (PR) before his polarizing beamsplitter. 


Alice Bob 



(b) The polarization implementation of the BB84 protocol with a passive basis 
choice. Instead of the polarization rotator Bob uses a 50:50 beamsplitter so that 
a single photon randomly goes to a measurement in the H, V basis that uses one 
polarizing beamsplitter or the D + , D_ basis that uses another polarizing 

beamsplitter. 

Figure 4.3: Two implementations of the BB84 protocol using polarized photons. 


126 






























4.6 Implementations of BB84 
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Bob 



o 


Figure 4.4: The implementation of the BB84 protocol using the relative phase 
between two pulses. Alice prepares a coherent state from a laser, followed by a 
separation of this state into two pulses. She chooses the relative phase between 
them using a phase modulator (PM) resulting in a phase of 0, n/2, n or 3ti/2. 
Bob measures the relative phase by using an unbalanced Mach-Zehnder 
interferometer followed by two threshold detectors. His phase modulator 
chooses whether to measure 0 and n; or n/2 and 3n/2. 


beamsplitter Alice applies a phase modulation to change the relative phase 
between its output and the output of the other arm of the beamsplitter. Al¬ 
ice changes the relative phase to angles of 0, n, 3n/2, or n/2 (these phases 
are factors of e 1 ^ where <f> is the phase resulting in 1, -1, i, and -i). If we 
denote the two spatial modes asS] and s 2 , we can write the states required 
for the BB84 protocol as 

ki) + |s 2 ) ]si)-|s 2 ) |si) + i|s 2 ) M-i|s 2 ) 

1 V2 ,l ) ~ V2 V2 } ~ V2 ' 

(4.12) 

These are valid representations of the states for BB84 since they have the 
same overlaps, {xp \ip) for \xp), |y>) e {|0), |1), |+), |-)}. 

On Bob’s side, he will use a Mach-Zehnder interferometer followed 
by threshold detectors to measure this relative phase (see Section 4.5.5). 
A phase modulator is placed on the long arm in order to choose between 
measuring in the {0, n} basis or the {n/2,3n/2} basis. With probability 
1/2 he will get an outcome that tells him the phase and otherwise he gets 
an outcome that does not tell him what the relative phase was. Bob will 
then communicate to Alice when he gets a bad outcome and when he was 
able to discern the overlap depending on the timing of his measurement 
outcomes. 

Now that implementations of the BB84 protocol have been intro¬ 
duced, we discuss the assumptions made about sources (Section 4.7), 
measurements (Section 4.8), and the classical parts of the protocol (Sec¬ 
tion 4.9). 
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4.7 Source Imperfections and Assumptions 


There are several ways that sources do not produce the idealized 
states required for a given protocol. There may be correlations between 
the state in its desired degree of freedom (such as polarization or relative 
phase) with other degrees of freedom, such as frequency or time. Subse¬ 
quent states may not be independent, so an eavesdropper can get infor¬ 
mation from these correlations. We now list several of these assumptions, 
what class of assumption they are (fundamental, calibrated, verifiable, or 
satisfiable, see Section 4.3), as well as any techniques used to justify these 
assumptions. 


4.7.1 Phase Coherence 

For QKD protocols that do not use the phase as the degree of free¬ 
dom for encoding often assume that the phase of each pulse is completely 
unknown to Eve. If this is the case, for example in the polarization im¬ 
plementation of the BB84 protocol, then the prepared state from the laser 
before encoding by Alice is a coherent state \a) where a = re l6 and r e 
E+, 6 e [0,20 [LP06] : 


~ 2n 

Jo 


j oo r 2n 

—\re ie )(re ie \d6 = e- r2 Y—\n)(n\, 

2n n\ 

71=0 


(4.13) 


which is a mixed state of a Poisson distribution of number states. However, 
if Eve has some information about the phase, then this is not an accurate 
description of the prepared state from Eve’s perspective. Eve can get in¬ 
formation about the phase in protocols that have a strong reference pulse, 
such as some forms of the B92 protocol [TKI03, TL04] and the Plug & Play 
version of the BB84 protocol [RGG + 98, MHH + 97] (see Section 5.2). Eve 
can then compare the phase between the strong pulse and the quantum 
state sent from Alice. Even in protocols that do not have a strong refer¬ 
ence pulse, Eve can learn the phase of the source by using several weak 
pulses. 


The assumption that the phase of each pulse is unknown to Eve is 
satisfiable, since Alice can apply a random phase to each state she sends 
into the quantum channel [LP06]. As long as the randomness used to 
choose this phase is true randomness (see Section 4.9) and the source is 
isolated from Eve, then Eve cannot get information about the polariza¬ 
tion of the states by measuring their relative phase. If the phase is not 
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completely randomized then Eve may get some information about the key 
[LP05, SJM+14, KT014]. 

The relative phase between different pulses may also give informa¬ 
tion to Eve. In the polarization implementation of the BB84 protocol, the 
relative phase between subsequent states may depend on the polarization 
of the states prepared. If Eve measures the relative phase, she may learn 
information about the polarization of the state. The assumption that the 
relative phase does not give any information about the polarization of the 
state is a calibrated assumption, since the states are prepared using sources 
that are not designed to change the phase over subsequent pulses. 


4.7.2 Multiple Photons 

As mentioned in Sections 4.5.1 and 4.5.2, the states that can be pre¬ 
pared in practice for discrete QKD protocols are coherent states, which are 
superpositions of photon number states. Sometimes multiple photons can 
be sent into the channel with the same encoding of the information, such 
as the polarization or the relative phase. Eve can then do a measurement 
to determine how many photons are present in the sent signal and then 
store the extra photons that Alice prepared while sending a single photon 
on to Bob. This attack is called the photon-number splitting attack, and was 
noticed and analyzed in [Lut99, LiitOO, GLLP04] . Eve can either get full 
or partial information about Alice’s state depending on the protocol and 
how many extra photons there are. Also, Alice and Bob will not detect this 
attack because it does not introduce any errors. 

A method that has been developed to compensate for the photon num¬ 
ber splitting attack is the decoy state method [Hwa03, Wan05, LMC05], 
Alice will prepare different states with a different number of average pho¬ 
tons. She can choose in advance from a discrete set of possible average 
photon numbers. From this choice of states, Alice and Bob can estimate 
the number of errors they have for single photons, for two photons, etc. 
Formally, Alice and Bob have a set of linear equations for their error rates: 

Qtotai = PiQi T - P 2 Q 2 T • • •, (4.14) 

for a total error rate Q tota i, error rates for each photon number Q, (J e 
{1,2,...}), and a set of probability distributions P l = [p[,p l 2 ,...) (one for 
each average photon number setting). 

If the decoy state method is not used, then Alice and Bob can assume 
that all of their errors come from measurement outcomes on single pho¬ 
tons. However, this estimation is pessimistic. Using the decoy state method 
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allows for an estimation of the single photon error rate, which is usually 
lower than for other photon numbers. As an example, in the infinite-key 
limit, this estimation results in a scaling of the key rate, r, so that the prob¬ 
ability that a single photon is created Cp x ) is multiplied with the key rate for 
single photons, which is a function of the single photon error rate, r^Qx). 
Also, if the key rate is non-zero for two or more photons then these key 
rates (which are each functions of the error rate for that many photons) 
can be taken into account by adding them together, each multiplied by the 
probability of having that many photons: r = Pirx(Qi) + P 2 r 2 (Q 2 ) + • • •. 
The details of how to perform the estimation procedure for the decoy state 
method can be found in [SBPC+08, Hwa03, Wan05, LMC05, MCL09]. 

The assumption that a discrete protocol is secure even when Alice 
prepares states that can contain multiple photons is satisfiable, since the 
decoy state method can account for this imperfection in the implementa¬ 
tion and analysis. Alternatively, the error rate observed in the protocol 
without decoy states can still give an estimate of the number of errors 
for single photons. However, using this kind of bound results in a lower 
key rate (since the total error rate Q satisfies Q > Q 1 and the key rate is 
monotonically decreasing in the error rate) [SBPC + 08], 

The decoy state method can also be done in a passive way, instead of 
having to actively change the average photon number in the pulses (see 
[CMML09, CMQM10, KSJ + 14, XXL14] and references therein). One way 
to implement passive decoy states is to use a weak coherent pulse with a 
beamsplitter followed by a threshold detector [CMML09] . Depending on 
if the threshold detector clicks or not, different superpositions of number 
states will be prepared, which can be used for a two-state decoy method. 
The passive decoy state method has been used in security proofs for QKD 
protocols [ZBL + 14] and implemented in a recent experiment [SWL + 14]. 

Another method to counteract the photon-number splitting attack is 
to do a protocol that is robust against this kind of attack, such as the SARG 
protocol [SARG04] (see Section 1.2.2). 

4.7.3 State Structure and Symmetry 

Many assumptions can be made about the states produced from the 
source and the states sent into the channel. Usually it is assumed that the 
states in discrete-variable protocols are independent. This assumption is 
necessary for analyses that need to treat signals in an independent way. 
For example, in the polarization implementation of BB84 the states pre¬ 
pared are not independent in practice. As mentioned in Section 4.7.1, pho¬ 
ton sources can have coherence in the phase between subsequent pulses, 
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e.g. the sequence of states have the form |a)|a) • • • |a). However, this as¬ 
sumption is satisfiable by randomizing the phase. Other degrees of free¬ 
dom in the state of the photons may also be correlated between subsequent 
states but usually a calibrated assumption is made that the states do not 
have such correlations. However, this assumption should be verified by 
characterizing the source to ensure that this is the case. 

Another assumption is that there are an infinite number of signals 
sent during the protocol. As discussed in Section 3.4.1, this is an as¬ 
sumption that is not physically possible and therefore it is a fundamen¬ 
tal assumption. However, there are many recent results that take finite- 
key effects into account, removing the need for this assumption [RHR + 07, 
SR08a, CMQM10, FFB+12, TLGR12, LGPRC13, WBC+14, FFB+14, Furl4, 
ZBL+14]. 

In addition to correlations between subsequent states, there may be 
correlations between the degree of freedom used to encode the bits Alice 
wants to communicate to Bob and other degrees of freedom. For example, 
the frequency of the photon may be correlated with the polarization of the 
photon in polarization BB84. In addition, if different sources are used for 
different states then, as an example, each source might have a different fre¬ 
quency that will tell Eve the polarization of the photons [KZMW01, SK09] . 
Therefore, the assumption that there are no correlations between other 
degrees of freedom and the intended degree of freedom is a calibrated 
assumption. 

In the phase implementation of the BB84 protocol, Alice prepares 
states using a phase modulator on one of her pulses. The phase modu¬ 
lator may induce a loss, which lowers the intensity of one pulse compared 
to the other. This loss creates a different state, which should be taken into 
account, such as in [FNL12], If this loss is not taken into account in the se¬ 
curity proof then it is a calibrated assumption since it is an approximation 
of the intended state and the state that results from the implementation. 

Some security proofs assume that a fixed finite Hilbert space describes 
the states sent from Alice to Bob. This assumption is fundamental because 
any particle that Alice sends to Bob has many degrees of freedom that 
could be correlated with the degree of freedom Alice uses to send informa¬ 
tion to Bob. If it is assumed that the quantum states have an i.i.d. struc¬ 
ture then this may either be satisfiable by using the post-selection theorem 
(which requires further assumptions) or it is a fundamental assumption. 

If i.i.d. states are assumed then symmetry may be exploited to prove 
that instead of having to prove security for all possible i.i.d. states, only 
a small class of states need to be considered. For example, the states 
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shared between Alice and Bob in the BB84 and six-state protocols may 
be completely determined by the number of errors measured in the proto¬ 
col [Ren05] . The states are determined because Alice and Bob can rotate 
their states (as described at the end of Section 3.4.3) and the protocol 
is identical. This method only requires that the structure of the protocol 
satisfies this symmetry, which is a calibrated assumption. 


4.7.4 The Local Oscillator 

The local oscillator is a strong reference pulse that is sent along with 
a quantum state in some versions of the B92 protocol and continuous- 
variable protocols. The local oscillator is usually used in the measurement 
of the quantum state. The fundamental assumption is typically made that 
Eve does not interfere with the local oscillator. Since the local oscillator 
is sent through an insecure channel, this is not a justifiable assumption. 
However, if Bob monitors the intensity and phase of the local oscillator 
then the assumption can be satisfiable [HML08] . Alternatively, Bob can do 
a measurement of the local oscillator followed by a recreation of his own 
local oscillator with the same phase as the received local oscillator’s phase 
[Koa04] . 


4.8 Measurement Imperfections and Assumptions 


Measurements may also deviate from their perfect models in many 
ways. Measurements may respond to several photons, even when the 
single photon subspace is used for the encoding of the information Alice 
wants to send to Bob. The timing of the signals may be changed by Eve, 
which can influence Bob’s measurement outcomes. Measurement devices 
also have unintended behaviour, such as with threshold detectors, which 
can have clicks when there is no signal and also have a limited efficiency 
so even when there is an incoming photon the detector may not click. 
Measurements can also deviate from their intended model entirely. An ex¬ 
ample of this kind of deviation can be illustrated with a blinding attack, 
where Eve completely controls Bob’s measurement outcomes by shining 
bright light into Bob’s detector [LWW + 10]. Finally, for device-independent 
protocols, Bell tests, such as the CHSH experiment, need to be performed 
precisely according to the model, otherwise Alice and Bob may see a CHSH 
violation but their states may not be quantum, which means that Alice and 
Bob should not be able to extract a key from these measurement outcomes. 

We now investigate the imperfections of measurements in detail. 


132 



4.8 Measurement Imperfections and Assumptions 


4.8.1 The Squashing Model 

Since sources used in qubit device-dependent protocols usually pro¬ 
duce weak coherent states instead of single photons, Bob may detect multi¬ 
ple photons, even if there is no eavesdropper. In addition, if Eve is present 
then she is not restricted to only begin able to send single photons to Bob 
but she can send any state she wants. It used to be a fundamental as¬ 
sumption that Eve does not get any advantage from this deviation from 
the intended model [GLLP04] . However, now there is a precise way of de¬ 
termining if a given measurement device is equivalent to its perfect model. 
This technique is called the squashing model. 

If the POVM elements of the measurement on the full Hilbert space 
of all optical modes is known and suitable POVM elements for a perfect 
model are chosen then it can be determined if these measurement devices 
are equivalent [BML08, FCL11, GBN + 14]. Note that the measurement on 
the full Hilbert space may give outcomes that never occur in the perfect 
model. For example, if in polarization BB84 multiple photons are input 
into the measurement device, then both threshold detectors may click. 
This event is called a double-click which does not happen for single photons 
in the perfect model. 

It is not clear what bit Bob should assign to these measurement out¬ 
comes. Bob could treat these outcomes as loss so that in the sifting step 
of the protocol Alice and Bob will ignore these outcomes. However, Eve 
can attack the protocol in a way that will give her full information about 
the key if Alice and Bob discard the double-click events [Liit99] . Instead, 
Alice and Bob can treat these events as an error and each randomly assign 
a bit value to these measurement outcomes. This assignment corresponds 
to assigning one of the perfect model’s outcomes (a 0 or a 1) randomly to 
the double-click events. 

Given an assignment of detection events in the implementation to 
detection events in the perfect model, POVM elements are defined that 
describe the measurement outcomes and any classical assignment of these 
outcomes to bits. Now we can formally define the squashing model. 

Given a POVM on a large Hilbert space {F t } and a POVM on a small 
Hilbert space {F?} with an association between these two POVM elements 
(so that F; represents an outcome in the small Hilbert space described by 
F?) then there exists a squashing model if there exists a CPTP map ZT such 
that its Choi-Jamiolkowski matrix T (see Theorem 2.2.11) satisfies 


T*|F?» = IF f » Vi 
T f = T > 0, 


(4.15) 

(4.16) 
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where T R is the Normal map for (Defn. 2.2.14) and | G)) is the vector 
representation of the matrix G (Defn. 2.2.13). 

If the POVM elements are known, then the linear equations in Eq. 4.15 
put constraints on the elements of the Hermitian matrix T . After these con¬ 
straints are applied, the matrix T can be checked to see if an assignment 
of any of the remaining open parameters in T can make it positive semi- 
definite. If T is positive semi-definite then a squashing model exists. If it is 
not positive semi-definite then both sets of POVM elements can be mixed 
with classical noise to form new POVM elements that correspond to adding 
noise to the outcomes of Alice’s and Bob’s measurements. If enough noise 
is added then a squashing model always exists [GBN + 14]. Therefore, a 
squashing model is only practical if no noise or a low amount of noise 
is added (e.g. less than the threshold of the protocol minus any inherent 
errors in Alice’s and Bob’s devices and in the quantum channel). 

In addition, there are several imperfections in devices that can be 
taken into account by the squashing model, such as time resolution and 
inefficiency [GBN+14, Narll, FCL11], 

As examples of measurements that have squashing models, the BB84 
active and passive measurement devices for the polarization implementa¬ 
tion, as well as the phase implementation measurement have a squashing 
model to a single-qubit equivalent measurement [BML08, TT08, Narll], 
Surprisingly, the squashing model for the six-state protocol with an ac¬ 
tive basis measurement (and without the addition of noise) does not exist 
[BML08] . However, noise can be added in the classical post-processing to 
make a squashing model possible [GBN+14]. 

The squashing model is a satisfiable assumption that requires the cal¬ 
ibrated assumption that the full description of the measurement is known. 
The squashing model may also require the classical addition of noise in 
order for a squashing model to be possible, which is a verifiable assump¬ 
tion without the need for further assumptions (since the classical post¬ 
processing of the measurement outcomes can be implemented in Alice’s 
and Bob’s isolated labs). 


4.8.2 Measurement Structure 

There are a variety of assumptions made about the structure of mea¬ 
surements in QKD protocols. As with the squashing model above, the cal¬ 
ibrated assumption that the measurement POVM elements are completely 
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known is one such assumption. However, this assumption can lead to side- 
channel-attack strategies for Eve whenever the measurement model devi¬ 
ates from the assumed description. For example, if avalanche photodiodes 
are used as threshold detectors (see Section 4.5.4), Eve can continuously 
shine bright light into Bob’s detector. This light causes the threshold detec¬ 
tor to have an avalanche and it cannot recover from it, since the electrons 
are constantly excited by the bright light. Eve can then completely control 
Bob’s measurement device [LWW + 10]. 

For example, in polarization BB84, if Eve stops sending bright light 
of a certain polarization for a time longer than the recovery time for one 
of Bob’s threshold detectors, Eve can make Bob’s threshold detectors click 
when she wants to. This control allows Eve to measure the states sent 
by Alice and force Bob’s measurement device to have exactly the same 
outputs, which makes the protocol completely insecure. 

This blinding attack has been demonstrated experimentally for BB84 
[LWW + 10, GLLL + 11] and SARG04 [JAK + 14]. This attack has also been ex¬ 
amined for superconducting detectors in the DPS protocol [FHS + 13]. Po¬ 
tential ways of avoiding this attack have been discussed in [YDS11, Stil4, 
LWL + 14b], 

Eve may do other attacks that work outside of the model for the mea¬ 
surement, such as changing the timing of the signals (Section 4.8.3) or by 
using other degrees of freedom, such as frequency, to change the response 
of Bob’s measurements. For example, the measurement device may be cal¬ 
ibrated to measure a certain frequency of light. If the light is outside of 
a narrow range of frequencies then Bob’s detector may have a lower effi¬ 
ciency. Eve could then perform an attack where she changes the frequency 
of the light depending on its state, so that if Bob gets a measurement out¬ 
come, then she has partial knowledge of which outcome for Bob is most 
likely. 

Since the calibrated assumption that Bob’s measurement device is 
completely known can lead to many attacks, it would be ideal to have 
a weaker assumption that is sufficient to still prove security. If the entropic 
uncertainty relation (Theorem 2.3.11) is used then Bob’s measurement 
device only needs to be characterized by the overlap, max xz || \[g' z \\ 2 00 , 

for the POVM elements F x and G z . While the POVM elements are needed 
to determine this overlap, there is a related overlap and corresponding un¬ 
certainty relation that can be experimentally verified without knowing the 
POVM elements [TH13] (see Definition 7.2 in [Toml2]). This reduces the 
calibrated assumption that the POVM elements are fully known to a ver¬ 
ifiable assumption. The experiment to verify the overlap is a CHSH test, 
which requires further assumptions (see Sections 3.4.5 and 4.8.5). 
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4.8.3 Time Resolution 

Measurements have a finite time resolution. For example, threshold 
detectors are not able to perform a measurement between the time an 
avalanche has started and the detector has recovered (see Section 4.5.4). 
This down time is usually not taken into account in the models used for 
security proofs and therefore Eve may get an advantage from this imper¬ 
fection. 

In addition to the recovery time, threshold detectors can have after 
pulses, where an electron that is recovering can cause another avalanche. 
If the time window for detection events is small enough, then after pulses 
could be registered as a separate detection event, causing an error. 

One attack that takes advantage of the dead time is the time-shift: at¬ 
tack, where Eve changes the timing of the signals so that Bob is more likely 
to measure one state rather than another (since while one threshold de¬ 
tector is recovering, another detector can still click) [QFLM07, WKR + 11], 

Another possible attack is the phase remapping attack, where in the 
phase implementation of the BB84 protocol Eve can change Bob’s phase 
modulation by changing the timing of the signals so that the state reaches 
the phase modulator right before or right after the phase modulation is 
applied [FQTL07, XQL10], 

Another way that information can be leaked to Eve is if Alice pre¬ 
pares states using parametric down-conversion (see Section 4.5.2) and 
uses a threshold detector to measure the idler. During the downtime of 
the threshold detector, Alice may also produce another state that will be 
output through the same state preparation. In this case Eve will get multi¬ 
ple states she can use to try to determine Alice’s preparation setting. The 
assumption that Eve does not get an advantage with this preparation, due 
to the down time in the threshold detector, is satisfiable, since Alice can 
block any states from being output during the time between sending a 
state and the recovery of her threshold detector. 

Alice and Bob also need to communicate their state preparation and 
measurement times, so that they can pair each prepared state to a mea¬ 
surement outcome. It turns out that if their timing information is too 
accurate, the timing communication may give information to Eve [LLK07] 
and so Alice and Bob should limit the accuracy of their timing information 
[SK09]. Therefore, the assumption that Eve does not get an advantage 
from the timing information is a calibrated assumption. 
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4.8.4 Loss 

There are two kinds of losses in quantum-cryptography protocols: 
losses from the quantum channel and losses in Alice’s and Bob’s devices. 

Loss in the quantum channel can usually be taken into account in 
the security proof, since Eve is allowed to do anything allowed by quan¬ 
tum mechanics. For the key rate, loss usually just scales the key rate by 
a constant, since the key rate is the number of secure bits that are pro¬ 
duced per signal sent. However, loss can be a difficult issue for many 
device-independent security proofs (see Section 4.8.5). Also, the losses in 
a measurement are usually not taken into account in the security proof 
and therefore it would be convenient to have a method of relating security 
proofs that assume lossless measurements with the security of protocols 
that have lossy measurements. 

Typically, security proofs assume that measurements do not have any 
loss but there is loss in the quantum channel. If we can model loss in a 
measurement as loss that occurs in the quantum channel followed by a 
lossless detector then we can apply these security proofs to implementa¬ 
tions with lossy measurements. 

For example, the loss in a single-photon detector is the probability 
that it will give a vacuum output given that it receives a single photon. 
Typically, it is assumed that losses happen with a fixed probability, i.e. inde¬ 
pendent of how many photons are input to the detector and independent 
of the structure of the state. This is a set of calibrated assumptions, since 
this loss model approximately describes the ways losses occur in practice. 

For measurements that have threshold detectors, a lossy threshold de¬ 
tector can be modelled as a beamsplitter followed by a threshold detector 
with perfect efficiency. One input to the beamsplitter is the input state and 
the other input is the vacuum; the reflected output goes to the environ¬ 
ment and the transmitted output goes to a threshold detector with perfect 
efficiency. 

For example, in the active BB84 measurement using polarization, 
there are two threshold detectors after a polarizing beamsplitter. If the 
efficiency of each threshold detector is the same (this is a calibrated as¬ 
sumption) then we can decompose each lossy threshold detector into a 
beamsplitter and a lossless threshold detector. Since a beamsplitter com¬ 
mutes with a polarizing beamsplitter, the two equivalent beamsplitters af¬ 
ter a polarizing beamsplitter are equivalent to one of these beamsplitters 
followed by the polarizing beamsplitter (see Fig. 4.5). This means that 
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50:50 


Figure 4.5: Commuting beamsplitters. The situation on the left is a 50:50 
beamsplitter followed by two identical beamsplitters with transmissivity T and 
reflectivity R. This situation is equivalent to one of the R, T beamsplitters 
followed by a 50:50 beamsplitter. 


loss in the detector can be modelled as loss that occurs in the quantum 
channel followed by a lossless detector. Now we can apply a security proof 
that assumes that there are losses in the quantum channel to this imple¬ 
mentation. 

However, if the losses for each threshold detector are not the same 
then this imperfection needs to be taken into account by the security proof 
(see [FTQ + 09] for an example). 

As another example, consider the measurement used in the phase im¬ 
plementation of BB84 (see Fig. 4.4). If there is loss in the threshold detec¬ 
tors then (under the same calibrated assumption that the loss can be mod¬ 
elled as a beamsplitter) the measurement is equivalent to a beamsplitter 
followed by a lossless measurement. However, the phase modulator may 
have loss as well. In this case, if the loss is modelled as a beamsplitter then 
to commute the beamsplitters and make the same argument as with the 
active polarization BB84 measurement, it changes the ratio of the 50:50 
beamsplitter to a new ratio (see [FNL12] for the details of this ratio). Then 
a new security proof is needed for a lossless measurement that does not 
have a 50:50 beamsplitter [FNL12]. 

In general, losses in measurements need to be taken into account by 
either having a calibrated assumption about the model of the loss (to sep¬ 
arate a lossy measurement into loss followed by a lossless measurement) 
or by including lossy measurements directly in the security proof. 

4.8.5 Bell Tests 

Device-independent QKD protocols require a CHSH experiment or 
other kind of Bell test (see Section 3.4.5). To use the outputs of a Bell test 
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for QKD, some assumptions about the devices and channel may be neces¬ 
sary. If in an implementation there are deviations from these assumptions, 
such that a Bell inequality violation is observed but there are states that 
are described by a local hidden variable model that could give the same 
measurement outcomes, then there is a loophole in the implementation. 

Two recent reviews discuss many of the loopholes that exist in im¬ 
plementations of Bell tests [Larl4, BCP + 14]. A major loophole is that de¬ 
tectors are not perfectly efficient so some measurement outcomes are lost 
[MML08, LPT + 13]. These lost measurements should be replaced with uni¬ 
formly random bits to ensure that an eavesdropper did not correlate the 
losses with Alice’s and Bob’s measurement outcomes. Another loophole 
is that Alice’s and Bob’s devices need to be spatially separated, otherwise 
there may be signalling between them. For example, it could be that Al¬ 
ice’s measurement is chosen at her end and then a message is sent to Bob’s 
measurement to tell it to output a bit that depends on Alice’s measurement 
outcome and basis choice. This situation can be avoided if Alice and Bob 
ensure the timing of their measurements is close enough that signalling is 
not possible. 

It has been assumed for many device-independent security proofs that 
each measurement is done independently (see [AFTS12, BCK13] and ref¬ 
erences therein). This assumption could only be justified in the device¬ 
independent setting if a separate measurement device was used, which is 
completely impractical. However, now there are security proofs and meth¬ 
ods to avoid this assumption [BCK12, RUV13, W12]. 

The assumptions for Bell tests are usually fundamental assumptions 
because they require a strict adherence to a perfect model that is not pos¬ 
sible in practice. 


4.8.6 Sampling with Measurements 

For P&M protocols with a basis choice, Alice and Bob need to sift out 
measurement outcomes that were not prepared and measured in the same 
basis. Similarly, for entanglement based protocols with a basis choice, 
Alice and Bob will remove outcomes where they did not measure in the 
same basis. For a protocol with two bases, such as BB84, the bases can 
be chosen uniformly at random. However, this means that half of the 
measurement outcomes will be removed. To increase the key rate, it may 
be preferable to bias one basis over the other. If one basis is chosen with 
probability p < 1/2 and the other with probability 1 - p then the fraction 
of measurement outcomes that are sifted will be approximately 2p(l - p). 
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However, the probability p cannot be made too small, or else there 
will not be enough measurements in one basis for parameter estimation. 
This probability can then be optimized for the given protocol, such as in 
[TLGR12], 

As we have described parameter estimation in this thesis thus far, it is 
performed by Alice or Bob picking a random subset of their measurement 
outcomes to be communicated to the other party. However, for protocols 
with a biased basis choice it is preferable to use the basis that is chosen 
with probability p to be used for parameter estimation, while the other 
basis’ measurement outcomes will be used for the key. This assignment 
would be sufficient for parameter estimation, since by using a tool like 
the entropic uncertainty relation (Theorem 2.3.11), the measurement out¬ 
comes of one basis are sufficient to prove security (see Section 3.4.2). 

However, to perform parameter estimation, it is important to be able 
to infer the statistics of Alice’s and Bob’s entire strings from a small sam¬ 
ple. Typically a result like Serfling’s inequality (Lemma 3.3.4) is used to do 
this estimation. These kind of results require that the sample is taken uni¬ 
formly at random from a classical string. For example, Alice may choose a 
random subset of her string to communicate to Bob by using some classical 
randomness. Instead, the sampling can be done through a measurement’s 
basis choice, where Alice and Bob may only communicate measurement 
results from one basis and use the measurement results from the other 
basis for the key. In this setting it is not clear if the same sampling statis¬ 
tics like Serfling’s inequality still hold and it is currently an open ques¬ 
tion [BDFR15], Ideally, Alice and Bob would still only need to commu¬ 
nicate a small fraction of their strings in order to get the same bound as 
in Lemma 3.3.4. Currently, the assumption that sampling by using a ba¬ 
sis choice gives the same estimate as classical estimation is a fundamental 
assumption. 


4.9 Classical Post-Processing Assumptions 


Not only are there assumptions about the devices and quantum states 
used in the protocol but there are assumptions made about the classical 
components of the protocol and the classical post-processing as well. 

First, the randomness used in the protocol (such as for basis choices, 
picking the random sample in parameter estimation, picking a hash func¬ 
tion for privacy amplification, etc.) must be truly random (see Random¬ 
ness Extraction in Section 1.1.2). If the protocol does not use true random 
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numbers then it is not clear if the steps of the protocol that use randomness 
still produce the same results. Therefore, it is important to investigate if se¬ 
curity still holds if this assumption is relaxed. For example, if Eve is able to 
control some of Alice’s and Bob’s basis choices then Alice and Bob may still 
be able to certify that they have violated a Bell inequality [KHP + 12] . How¬ 
ever, if true random numbers are generated then the assumption that true 
randomness is used is a verifiable assumption. If the random numbers are 
only approximately truly random (for example, only a lower bound on the 
min-entropy of some classical data is known) then the assumption can be 
verifiable, since a randomness extraction protocol can extract almost per¬ 
fect randomness from an imperfect source (see Sections 1.1.2 and 3.3.1). 
Randomness extraction is universally composable, so randomness that is 
extracted from an imperfect random source can be combined with a uni¬ 
versally composable QKD protocol that uses that randomness. If the QKD 
protocol requires perfectly uniform randomness then it can use the almost 
perfect randomness from a randomness extraction protocol and the QKD 
protocol will still be secure. The security parameter for the composition of 
randomness extraction and QKD will depend on the specific protocols that 
are used (see [PR14b] for an example of composition of QKD with another 
protocol). 

Second, Alice and Bob have to estimate how much information Eve 
gets from the classical communication sent during information reconcilia¬ 
tion so that they can remove Eve’s knowledge of Alice and Bob’s string in 
privacy amplification. If this estimation is too low, then the protocol may 
be insecure. A precise analysis of how much information Eve gets from the 
communication in information reconciliation can be found in [TMMPE14]. 

Lastly, the classical computers that are used to store the measurement 
outcomes and to perform the classical post-processing should be isolated. 
For example, if these computers are connected to the internet then Eve 
may be able to hack into the computer to discover Alice’s and Bob’s strings. 
It is therefore a fundamental assumption that Eve does not get access to 
Alice’s and Bob’s classical computers. 


141 



4. Assumptions 


142 



Chapter 5 

Contributions 


5.1 Introduction 


In this chapter we review two contributions that are relevant to the 
framework discussed in this thesis. 

The first contribution is a security proof of two QKD protocols that use 
two-way quantum communication. In these protocols Alice sends states to 
Bob, Bob performs an encoding operation on these states, and then he 
sends the states back to Alice [BLMR13], Here we present these idealized 
protocols and discuss the assumptions necessary for the security proofs to 
hold. 

The second contribution is a proof of one of the most fundamental 
properties in information theory: the data-processing inequality [BR12], 
Informally, this inequality states that if a physical system undergoes a 
transformation, then the information content of that system cannot in¬ 
crease. If the inequality was not true, then the world we would live in 
would be very strange! For example, a computer could run an algorithm 
such that the computer would learn everything about the universe without 
having to interact with the universe. 

The data-processing inequality is used extensively throughout quan¬ 
tum information theory in a variety of contexts. We include the data- 
processing inequality in this thesis because of its fundamental nature and 
widespread use, but also because our proof is of a similar spirit to this the¬ 
sis: this proof separates a fundamental property that is easy to prove from 
a specialization that is difficult. In Chapters 3 and 4 we have separated the 
‘simple’ task of proving security for an idealized model of a QKD protocol 
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from the more challenging task of connecting the security statement with 
implementations. 

In addition to these two contributions, this thesis is a contribution, 
since it discusses several topics in the field of quantum cryptography and 
quantum key distribution: security, security proof methods and assump¬ 
tions. Another contribution was outlined in Section 4.8.1, which was work 
done prior to this PhD [BML08, MGB + 10, GBN + 14]. There is another 
contribution that deals with generalizing the mutual information but it is 
unrelated to the contents of this thesis [CBR14] . Lastly, there is a contri¬ 
bution in progress that is related to Section 4.8.6 [BDFR15], 


5.2 Two-Way QKD 


Two-way QKD uses two quantum channels: one from Alice to Bob and 
one from Bob to Alice. In practical implementations, the second channel 
may be the first channel in the reverse order. These protocols have been 
introduced as an alternative to one-way QKD, which could have higher key 
rates compared to one-way equivalents in certain implementation scenar¬ 
ios [CL04b, CL04a, DL04, BF02, LM05] . 

One inefficiency in BB84-like protocols is the need for basis sifting. 
Since Alice and Bob need to throw away a fraction of their key, the key rate 
would be higher if they used a protocol that is deterministic, e.g. that has 
a basis choice but does not require basis sifting. Since Alice both prepares 
and measures the states in the two-way protocols we consider, she can 
choose the basis of her measurement based on what state she prepared. 
Therefore, no basis sifting is necessary for these two-way protocols. 

Protocols with a basis choice can be made more efficient by choosing 
the bases with different probabilities (see Section 4.8.6). In the infinite-key 
scenario, this removes the effect of basis sifting, since an arbitrarily strong 
bias of one basis over the other(s) can be made while still getting perfect 
statistics about measurement outcomes from each basis. However, in the 
finite-key regime there is a tradeoff between the basis choice probability 
and other parameters in the protocol, which results in a limit on the basis 
bias (see Table II of [TLGR12] for an example). Deterministic two-way 
protocols might have an efficiency advantage over protocols with basis 
sifting in the finite-key scenario [BLMR13], 

There also exist two-way implementations of one-way protocols. For 
example, the BB84 protocol can be implemented in a Plug & Play version 
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[RGG + 98, MHH + 97], which is a two-way protocol. In this protocol, one 
bit is communicated for every quantum state sent forwards and backwards 
through the same quantum channel. However, it is known that two bits 
can be communicated by sending one qubit (this task is called super dense 
coding, see Section 5.2.2) [BW92]. We propose a QKD protocol that can 
send two bits of information per qubit and prove its security. 

A severe limitation of two-way QKD is the scaling of the losses with 
the length of the quantum channel between Alice and Bob. If the loss in 
each channel is 17 then the total loss is rj 2 . This means that two-way QKD 
is primarily only useful for short-range applications. However, it may still 
be useful to perform QKD from the ground to a satellite [VBD + 14]. 

Here we describe two two-way protocols in their perfect forms and 
then discuss how the security proofs of these protocols fit into the frame¬ 
work for assumptions discussed in Chapter 4. 


5.2.1 Modified LM05 QKD Protocol 

The LM05 protocol described here is a modified version of the original 
protocol in [LM05]. Alice prepares one of the four states {|0), 11), |+), |—)} 
uniformly at random from the BB84 protocol and sends the state to Bob 
through one quantum channel (see Fig. 5.1). 

Bob applies a map with probability r or a measurement followed by 
a state preparation with probability 1 - r to the output of the first chan¬ 
nel. The map is chosen uniformly at random from one of the four maps 
{id, cr x , <j y , <j z } (which we call an encoding), where cr ; are the Pauli opera¬ 
tors (see Section 1.2.2) and id is the identity map. These maps are applied 
to the state p so that the output is cqpop 

Bob’s measurement and state preparation is one of two possibilities, 
which defines two versions of the protocol. In Version 1, Bob applies an 
X-basis measurement and in Version 2 he uniformly at random picks be¬ 
tween a measurement in the X basis or the Z basis. After his measurement 
he prepares the state that corresponds to his measurement outcome. For 
example, if he measured |0) in the Z basis then he would prepare the state 
| 0 ). 


Bob sends his newly prepared state or the outcome of the encoding 
on his received state into a second quantum channel back to Alice. Alice 
then measures the state out of the second channel either in the X or Z 
basis as in the BB84 protocol (see Section 1.2.2). Alice chooses her basis 
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Alice 


Bob 



Figure 5.1: The modified LM05 protocol (Version 1). Alice prepares one of the 
four BB84 states and sends it to Bob through one insecure quantum channel. 
Bob either does one of four possible encoding operations and sends the state 
back to Alice or a measurement in the X basis. After the measurement he sends 
the post-measurement state back to Alice. Alice measures in the X or Z basis at 
random and adds the bit that corresponds to her state preparation and 
measurement outcome together to form her string. Bob’s string is constructed 
depending on which encoding operations he performs. 


to match the state she prepared. For example, if she prepared |—) then she 
will measure in the X basis. 

Alice and Bob will use most of the instances where an encoding was 
performed for the key. They will use the times when Bob did a measure¬ 
ment (and preparation of a state) for parameter estimation only. For direct 
reconciliation Alice publicly reveals which basis she used for each signal. 
Bob will reveal which basis he measured in and when he measured in¬ 
stead of applying a map. Alice’s raw key is made up of the XOR of her 
measurement outcomes and her preparation bit (which is 0 when she pre¬ 
pared |0) or |+) and 1 when she prepared |1) and |—)). Bob’s string comes 
from his encoding operation which correspond the two bits 00,10,11,01 to 
1, cr x > a z respectively. When Alice measures in the Z basis Bob keeps 
his first bit and when Alice measures in the X basis Bob keeps his second 
bit. The case of reverse reconciliation can be treated similarly. 

The modification from the original LM05 protocol is the addition of 
the measurement on Bob’s system (see Fig. 5.1). This measurement is suf¬ 
ficient to avoid an attack by Eve that gives her full information and does 

Tn [BLMR13] the roles of Alice and Bob are reversed compared to the way they are 
presented here. This means that reverse reconciliation for this thesis means direct reconcil¬ 
iation in the paper. We reverse the roles here to be consistent with our definition of direct 
and reverse reconciliation in this thesis. 
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not introduce any errors in Alice’s measurements. For example, when Eve 
receives a state from Alice in the first channel, Eve can store it in a quan¬ 
tum memory and can prepare a maximally entangled Bell state \xp + ) (see 
Eq. 1.18). Eve sends half of the Bell state into Bob’s encoding. In the un¬ 
modified LM05 protocol this state goes directly into Bob’s encoding and 
Eve gets the outcome. Eve can do a Bell measurement on the outcome 
of the encoding and the other half of her prepared entangled state to de¬ 
termine Bob’s encoding with certainty. Eve can apply the encoding to the 
state she stored from Alice and send it back to Alice in the second chan¬ 
nel. By using this attack, Eve learns Bob’s encoding and Alice does not 
get any errors in her measurement. By adding an X-basis measurement 
(in Version 1) or both Z- and X-basis measurements (Version 2) on Bob’s 
side, Alice and Bob will estimate an error rate of 1/2 in the first channel 
(after post-selecting on when Alice’s and Bob’s bases match) if Eve tries 
this attack. 

We discuss the security proof of the LM05 protocol and the assump¬ 
tions required in Sections 5.2.3 and 5.2.4 below. 


5.2.2 Super Dense Coding QKD Protocol 


The super dense coding (SDC) QKD protocol is similar to the LM05 
protocol and is introduced in [BLMR13], The SDC QKD protocol is based 
on the quantum information task of super dense coding (hence the name). 


Super dense coding is the task of sending two classical bits from Alice 
to Bob by Alice sending one qubit to Bob. To do this task, one qubit of a 
maximally entangled two-qubit state is sent to Alice and the other qubit is 
sent to Bob. For example, this state may be 


I x P + )ab 


loou + inu 

a/2 


(5.1) 


Depending on the two bits Alice wants to communicate {00,01,10,11} she 
will apply {id, crx> cr Z) cr y} respectively, where cr ; are the Pauli operators 
(see Section 1.2.2) and id is the identity map. As in the LM05 protocol, 
these are applied as G i p A a i to the input p A . This map results in either 
the state | xp + ) for 00 or one of the other three states from the Bell basis 
(Eq. 1.18). Alice now sends her qubit to Bob. Bob can do a measurement 
in the Bell basis to determine which state he has and learn which two bits 
Alice wants to communicate. 


Note that Alice’s sent qubit appears to be the maximally mixed state 
t A /2 to an eavesdropper who does not know Alice’s two bits. We show 
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Alice Bob 



Figure 5.2: The SDC QKD protocol. Alice prepares the maximally entangled 
state |'(/) + ) and stores half of it in a quantum memory. Bob applies an encoding or 
a Z-basis measurement followed by a random preparation of |+) or |—). Bob 
sends the resulting state back to Alice who either does a Bell measurement or 
measures her state in the Z basis and Bob’s returned state in the X basis. 


that this kind of protocol can be used for QKD and is provably secure 
[BLMR13], 

The SDC QKD protocol starts with Alice preparing | xp + ) and keeping 
one qubit of the state in a quantum memory (see Fig. 5.2). She sends the 
other qubit to Bob through a quantum channel. Bob will, with probability 
r, apply the same set of maps that are used in the LM05 protocol and su- 
perdense coding (uniformly at random one of {id,a x ,<J Z ,a Y })', and, with 
probability 1 — r, he measures the qubit in the Z basis and then uniformly 
at random prepares a state in the X basis. Bob sends this random X-basis 
state or the outcome of his encoding back to Alice. Alice will, with prob¬ 
ability r, measure in the Bell basis. This measurement will ideally tell her 
what map Bob applied and therefore she learns two bits from Bob. With 
probability 1 - r Alice measures her stored qubit in the Z basis and her 
received qubit in the X basis. 

The encoding and Bell measurement are used for the key, while the 
Z- andX-basis measurements are used for parameter estimation. 

We now discuss the security of the LM05 and SDC protocol, followed 
by the assumptions under which security holds. 
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5.2.3 Security Proofs of Modified LM05 and SDC QKD 

The protocol model under which we prove security for both the modi¬ 
fied LM05 protocol and the SDC protocol is for the protocol class [partially 
device-dependent, infinite-key, qubits, basis choice , coherent attacks] (see 
Section 3.4.1). The security proof applies to both the P&M protocols de¬ 
scribed above and equivalent entanglement-based protocols. The proof 
also applies regardless of whether the measurements are done in an active 
or passive way. 

The proofs of security for both protocols use the entropic uncertainty 
relation of Theorem 2.3.11 as well as the Devetak-Winter key rate (see 
Section 3.4.2). To apply these tools, the P&M protocols are shown to be 
equivalent to an entanglement-based protocol. 

For the LM05 protocol, by using the uncertainty relation and the 
Devetak-Winter rate, we get a lower bound on the key rate of 

r > 1 — min h(q G i) — h(q F ), (5.2) 

i 

where fr(-) is the binary entropy function (Defn. 2.3.2), q F is the error rate 
in Alice’s measurement compared to Bob’s prepared states, and q G i is the 
error rate in Bob’s measurements with Alice’s preparations, where i e {0,1} 
denotes whether it is the error rate in the Z basis from the first channel or 
the X basis in the second channel. Eq. 5.2 is an improvement on the key 
rate of [LFMC11]. In addition, we make less assumptions about the states 
and devices than [LFMC11] (see Section 5.2.4). 

For the SDC protocol we get a lower bound on the key rate of 

r > 2 - h 4 (q G ) - h 4 (q F ), (5.3) 

where h 4 (q) is the Shannon entropy of a distribution with four values, 

K (<?) := -qilogqi -q 2 logq 2 -<? 3 logq 3 -q 4 logq 4 , (5.4) 

where ^T =1 qj = 1 and q, > 0, i e {1,2,3,4}. The error rate q G is the set 
of errors between Alice’s and Bob’s Z- and X-basis measurements, q G := 
{ q G ,q G ,q G ,q G }: q G corresponds to no error, q G corresponds to an error in 
the Z basis but not in the X basis, q G to an error in the X basis but not in 
the Z basis, and q G to an error in both the Z and X basis. The error rate 
q F := {ql,qf,q F ,q F } is the set of errors between Bob’s encoding and Alice’s 
Bell measurement. Each of the error rates correspond to whether there is 
no error in either bit of the Bell measurement, an error in the first bit only, 
an error in the second bit only, and whether there is an error in both bits. 

2 While the LM05 protocol has a basis choice, this choice is deterministic in that Alice 
knows which basis to measure in and therefore there is no basis sifting needed. 
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5.2.4 LM05 and SDC Assumptions 

We now consider the assumptions necessary for the security proofs to 
apply to an implementation of the LM05 or SDC protocol [BLMR13]. We 
use the classification of Section 4.3 to denote what kinds of assumptions 
they are and how they are justified: fundamental, calibrated, verifiable, or 
satisfiable. 

1. Qubits are prepared. 

This assumption is fundamental, since qubits cannot be prepared in 
practice. However, this assumption can be removed: if Alice pre¬ 
pares entangled bipartite states and does a measurement with a ba¬ 
sis choice on one half of it, using the other half as her prepared state 
sent into the first channel, then no assumption is necessary about the 
preparation of states. 

This assumption is necessary to make the connection between the 
P&M protocols and their entanglement-based equivalents. 

2. Bob’s output encoded state is a fixed state. 

Formally, this assumption can be stated using the maps that Bob uses 
in his encoding, which maps states acting on to states acting 
on 3tf D , as 



(5.5) 


This assumption is calibrated, since Bob can calibrate his encoding 
device so that on average over the encodings his state is approxi¬ 
mately a fixed state, cr D . Ideally cr D should be a maximally mixed 
state, since in the perfect protocol description we have: 


- (p + CTxpcrx + cr Y pcj Y + a z pa z ) = -, 


(5.6) 


for any qubit state p. However, we do not assume that Bob receives 
a qubit. We only assume that Eq. 5.5 holds for any input state p A , 
regardless of the Hilbert space J^ A . 

This assumption is necessary in order to make the connection be¬ 
tween the P&M protocols and their entanglement based versions. 
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3. Measurements detect each signal independently. 

This assumption is calibrated, since the measurement devices are not 
designed to have a memory. However, if threshold detectors are used 
then during their dead times they may have some memory effects 
(see Section 4.8). 

This assumption is necessary to use the uncertainty relation and the 
Devetak-Winter rate applied to each signal independently. 

4. Alice or Bob’s devices are characterized by a single constant. 

This assumption is verifiable. Depending on whether direct or re¬ 
verse reconciliation is performed, the uncertainty relation is applied 
such that Alice’s or Bob’s devices only need to be characterized by 
a single constant. This constant can be verified for Alice’s measure¬ 
ment by doing a Bell test (see Section 4.8.2). 

5. There are no losses. 

This assumption is fundamental, since in practice there will always 
be some loss. It was made to simplify the analysis. 

If Alice does her preparations using entangled states then these secu¬ 
rity proofs require one unjustified fundamental assumption, two calibrated 
assumptions, and one verifiable assumption. There are also other funda¬ 
mental assumptions that are implicitly made in all QKD implementations, 
such as the isolation of Alice’s and Bob’s labs and that quantum mechan¬ 
ics is correct (see Section 4.4). It remains as future work to extend this 
security proof to take losses and finite-key effects into account. 


5.3 The Data-Processing Inequality 


The data-processing inequality was first proven in [LR73a, LR73b], 
However, the proof of this inequality has remained quite challenging: it 
requires many mathematical tools to prove this very fundamental property 
of information. For example, there have been initial proofs using abstract 
operator properties [LR73a, LR73b, Sim79] and their simplified versions 
[NP05, Pet86, Rus07]. There are other proofs using the operational mean¬ 
ing of the von Neumann entropy [HOW06, HOW05], Minkoski inequalities 
[CL99, CL08], or holographic gravity theory [HT07a, HT07b]. All of these 
different techniques give insight into why the data-processing inequality is 
true. 
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Our contribution is a proof that provides intuition as to why the proof 
is difficult: the property itself is not hard to prove, it is the specialization 
of this property to the quantity used: the von Neumann entropy [BR12]. 

Formally, the data-processing inequality for the von Neumann entropy 
is stated as 

H(A\BC) p < H(A\B) p , (5.7) 

for a quantum state p^c e S = (J^ BC ). As mentioned in Section 2.3.1, this 
inequality also implies that the entropy cannot decrease under any CPTP 
map acting on B. 

We can prove the inequality for the smooth min-entropy, where the 
proof follows almost directly from the definition and then we special¬ 
ize the smooth-min-entropy inequality to the von Neumann entropy via 
the quantum asymptotic equipartition property (QAEP) (Theorem 2.3.12) 
[TCR09]. We also provide an alternative proof to the QAEP than [TCR09], 
where we do not concern ourselves with the rate at which the smooth 
min-entropy approaches the von Neumann entropy in the limit of Theo¬ 
rem 2.3.12 [BR12], 

The proof methods used in our proof of the data-processing inequality 
show the power of quantum information theory: it can prove this funda¬ 
mental property in a simple way for a more general quantity. In addition, 
our proof highlights that one-shot entropies are more fundamental than 
the von Neumann entropy, since the proof of the data-processing inequal¬ 
ity is easy for the smooth min-entropy. 

The proof of the data-processing inequality for the min-entropy is sim¬ 
ple, so we reproduce it here. 

Theorem 5.3.1 (Smooth min-entropy data-processing inequality [Ren05, 
TCR10, KRS09, BR12]). Let p^c e S = (Jif ABC ). Then 

H^,(A|BC) p <H^CA|B) p . (5.8) 

Proof. The proof works by finding a candidate solution to the maximiza¬ 
tion inside HT n (A\B) by using H^ in (A|BC). Their definitions (Defns. 2.3.6 
and 2.3.9 together) are 

H^ in (A[R)= max maxsup{k': p'^ <2~ x 'l A ® cr' B }, (5.9) 

p AB em e tp AB ') a B x' 

fCn(A|BC) = . max maxsup{A : p mc < 2 _A 1 A 0 cr BC }. (5.10) 

PABC e & e (PABc) ° BC A 
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First, we we find the optimal values for all of the maximizations in the 
definition of H £ min (A\BC) so we have A = H £ min (A\BC) p , p^c € & £ (pabc ), 
and cr BC fixed. We have the inequality 

Pabc — 2 (5.11) 

By applying the trace over system C this inequality becomes 

Pab — 2 (5.12) 

We know that p mc e @ £ (pabc) and so P(pabc,Pabc ) < e. Since the pu¬ 
rified distance does not increase under the partial trace (Lemma B.3.9), 
it follows that P{p AB ,p AB ) < e. Therefore we have p AB € 2fi c {p AB ), and 
cr g e S = (j£g), which are candidates for maximizing HT n (A|B) p . Since the 
optimal values for the maximizations in H' mm (A\B) will result in the largest 
X', it follows that A < X', which is the desired inequality. □ 

Combining the QAEP with the DPI for the smooth min-entropy im¬ 
mediately implies the data-processing inequality for the von Neumann en¬ 
tropy. 

The QAEP can be proved by upper and lower bounding the min- 
entropy by the von Neumann entropy in the limit as the smoothing pa¬ 
rameter goes to zero and the number of systems, n, is taken to infinity 
(called the i.i.d. limit). 

For the upper bound, we upper bound the smooth min-entropy by 
the von Neumann entropy of a state that is close to the state in the min- 
entropy. Then in the i.i.d. limit, since the von Neumann entropy is continu¬ 
ous in its state (via Fannes’ inequality [Fan73]), the von Neumann entropy 
of this close state approaches the i.i.d. state. 

For the lower bound, we use a chain rule to break up the conditional 
min-entropy into a sum of two non-conditional entropies and these can 
be lower bounded in the i.i.d. limit by the non-conditional Renyi entropy 
[Ren61], 

In summary, we have shown a proof of the data-processing inequality 
of the min-entropy (which is relatively simple) and performed a specializa¬ 
tion of this data-processing inequality to the von Neumann entropy (which 
is much more involved than the proof for the min-entropy DPI). Because of 
the QAEP, the min-entropy can be thought of as a generalization of the von 
Neumann entropy to the one-shot scenario. This means that the more fun¬ 
damental property is the data-processing inequality for the min-entropy, 
which is easily proved. The difficulty in proving the data-processing in¬ 
equality for the von Neumann entropy can then be thought of as trying to 
prove both the fundamental inequality and the specialization at the same 
time, which has so far proven difficult. 
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Chapter 6 

Conclusion and Outlook 

This thesis has presented the current understanding of security in 
quantum key distribution and recent techniques used to prove security 
for various protocols (Chapter 3). Many common assumptions made in 
QKD and quantum cryptography have also been discussed (Chapter 4). We 
also outlined two contributions: an intuitive proof of the data-processing 
inequality and the security proofs of two two-way QKD protocols (Chap¬ 
ter 5). 

In particular, we have presented two frameworks that can be used to 
classify QKD protocols and their assumptions. 

Protocol classes (Section 3.4.1) allow for the classification of proof 
techniques to specify which techniques apply to which kinds of protocols. 
Several proof techniques and reductions were explained in Section 3.4 and 
their applicability was specified using the framework of protocol classes. 

Assumption classes (Section 4.3) classify assumptions into four types: 
fundamental, calibrated, verifiable, and satisfiable. These clarify the level 
of justification these assumptions have and whether Eve can exploit them 
or not. Fundamental assumptions are either dependent on the underlying 
physical theory (and are therefore justified) or are completely unjustified. 
Calibrated assumptions are approximately justified by the structure of the 
devices but Eve can exploit these assumptions to get partial or full infor¬ 
mation about the key. Verifiable assumptions are completely justified by an 
experimental test. Satisfiable assumptions are justified by a modification 
of the protocol, but may require further assumptions that are not justified. 

Several examples of the kinds of assumptions made in quantum cryp¬ 
tography and QKD protocols were analyzed in Chapter 4. However, this 
was certainly not an exhaustive list. As several results have shown [Ltit99, 
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DHH99, KZMW01, LP05, GFK+06, LLK07, QFLM07, FQTL07, LWW+10, 
WKR + 11, BCK13, SJM + 14, JAK + 14] there are assumptions that have just 
not been thought of previously and this will continue to be the case for the 
models of device-dependent protocols and their implementations. In addi¬ 
tion, this chapter focused on QKD but many of the assumptions made there 
also apply to the implementations of other quantum-cryptography proto¬ 
cols (for example, see the recent coin-flipping experiment [BBB + 11]). 

Ideally, a quantum-cryptography protocol should only make verifiable 
assumptions; fundamental assumptions that rely on the laws of physics or 
assumptions that are unavoidable (such as the isolation of Alice’s and Bob’s 
labs); or satisfiable assumptions that only lead to assumptions that are jus¬ 
tified. There is no such proof in QKD that is both physically implementable 
with current technology and only has assumptions of these types. This is 
the goal, first motivated in [Eke91, MY98] and more recently analyzed in 
[McKlO, BP12, YVB + 14] that QKD strives to achieve. For example, devices 
could be produced by an eavesdropper that are ‘self-testing.’ Alice and Bob 
can perform a test of their devices before the protocol so that when they 
run the protocol they are guaranteed that they get a secure key with high 
probability or the protocol aborts, regardless of what an eavesdropper does 
or how the devices behave. This kind of QKD would truly merit the name 
of “unconditional” security, since it would only rely on the most basic of 
assumptions, such as the laws of physics. 

The authors of [SK09] proposed that the QKD community would go 
in two directions: device-dependent proofs with increasingly more real¬ 
istic models and device-independent proofs that ignore the underlying 
states and only deal with the conditional probability distributions resulting 
from inputs and outputs from measurements. It is still not clear if device¬ 
independent proofs will be experimentally implementable without making 
further assumptions, such as the assumption that loophole-free Bell tests 
are implemented. The protocols must also be able to tolerate realistic er¬ 
rors and loss. However, this direction seems most promising for removing 
unjustified assumptions from security proofs of QKD protocols. 

With the advent of the entropic uncertainty relation (Theorem 2.3.11) 
and measurement-device-independent QKD (Section 1.2.5) it seems a hy¬ 
brid approach may also be possible, where only some devices need to be 
characterized. Experimentalists have recently implemented QKD using a 
security proof that uses the uncertainty relation [BCL + 13] and MDI QKD 
has been implemented as well [RSC + 13, LCW + 13], Also, there is other 
theoretic work that seeks to connect perfect models with realistic imple¬ 
mentations. For example, [AL14] connects protocols that use qubits, uni- 
taries, and projective measurements to protocols that use coherent states, 
linear optics, and threshold detectors. 


156 



An interesting tool that is currently lacking would be an entropic un¬ 
certainty relation that applies to single POVMs, so that a basis choice is 
not necessary. Perhaps it would also take loss into account, so that security 
could be proven for the DPS and COW protocols as well as prove security 
of the B92 protocol in a new way. The current uncertainty relation could 
be applied to these protocols but they relate the min-entropy of the actual 
protocol to the max-entropy of a counterfactual protocol. It is then un¬ 
clear how to infer what the max-entropy is in the counterfactual protocol 
by only using parameter estimation in the actual protocol. 

There are several efforts to make QKD more practical and useful by 
increasing the maximum distance possible [HN14] and doing QKD with a 
satellite [MSYM+11, WYL+12, VBD+14, QLS+14]. There are also efforts 
to extend QKD to new frontiers: to not only use quantum mechanics but 
to also use relativity for QKD [RKKM14, CS14] and to perform QKD un¬ 
derwater [SZLG14]. 

This thesis has focused primarily on discrete-variable QKD, but there 
is much work being done on continuous-variable QKD. Imperfections and 
side-channel attacks in CV QKD are considered in [JKJDL12, HKJJ + 14]. 
Device-independent CV QKD has been proposed [MW14]. Experiments 
have also implemented CV QKD, for example, in free space [HPK + 14]. 
Improvements have also been found to increase the distance and key rate 
[MSJ + 14b, JEKJ14, Furl4]. 

The fate of two-way QKD is still not clear, i.e. it is not clear if two-way 
QKD provides an advantage over one-way protocols. A recent result does 
an error analysis for the original LM05 protocol [SLM13] in an attempt 
to see if the protocol is secure without the need for the modifications in 
[BLMR13] (see Section 5.2.1). It would be interesting to see how the key 
rate for a secure finite-key two-way QKD protocol would compare to one¬ 
way equivalents. While our result [BLMR13] hints that such an advantage 
may be possible for the protocol based on super dense coding (due to 
the deterministic basis choices in the measurement) only a finite-key rate 
would take this advantage into account. 
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Appendix A 

Squeezed States and 
Phase Space 


This appendix defines squeezed states and how they can be repre¬ 
sented in phase space (as well as how to represent coherent states in phase 
space). These states are used for continuous-variable quantum key distri¬ 
bution (see Section 1.2.3). 

Squeezed states are related to coherent states (Eq. 1.12), in that they 
are a superposition of the number states of a particular form. First, note 
that a coherent state may be written as 

|a) = e a “ t_ “*“| 0 ), (A.l) 

where a T is the creation operator, a is the annihilation operator, and | 0 ) 
is the vacuum state [LouOO] . The operator in front of the vacuum state 
is called the displacement operator, £>(a) := e aa ~ a a . This operator is 
named this way because it displaces the creation and annihilation oper¬ 
ators: D T (a)aD(a) = a + a and D(a)a i 'D 1 (a) = a 1 + a*. Also, the displace¬ 
ment operator is unitary. To show this, we define c := ad T - a*a and notice 
that c t = —c, then 


D(ct)D + (a) = D f (a)D(a) = e £ ~ e+ 2 [e “ e] = 1, (A.2) 

where we use the property e?e% = -si and [f, g] ;= fg _ gf i s the 

commutator. 

A squeezed state may be written in a similar way to Eq. A.l as a state 
being acted upon by the squeezing operator: 

SCO := e ^ Ca2 -^ f2 \ (e€. (A.3) 
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The squeezing operator can be shown to be unitary in the same way as the 
displacement operator. If we write the squeezing operator applied to the 
vacuum state as |£) := S(£)|0), and write £ in its polar form £ = re ld it can 
be written in the photon number basis [LouOO] as 

/-^ y/(2 n)! f 1 .„ Y 

|£) = \/sechr^-y—I —e I 0 tanhr| | 2 n), (A.4) 

n =0 V J 

where sech and tanh are the hyperbolic secant and tangent functions. This 
state is called the squeezed vacuum state. 

There are also squeezed coherent states, where the squeezed vacuum 
state is displaced by the displacement operator, | a, Q := D(a)\Q. 


The idea in continuous-variable QKD is to send either coherent states 
or squeezed coherent states with different values of a and £. Note that 
coherent states are nonorthogonal: 


ry 00 /} 4 

/ r, I . _!£L -Itv-'P u- _!£T + —la —/SI 2 

{[3\a) = e 2 e 2 > - ; — = e 2 , +p a — P 1 “ pi 

n =0 


n! 


= e 


(A. 5) 


The overlap is also known for squeezed coherent states [SMRSP92], and 
they are also non-orthogonal. Therefore, Eve cannot distinguish the states 
that Alice sends with certainty. 


A useful way to depict coherent states and squeezed states is by draw¬ 
ing them pictorially in phase space. If we define the quadrature operators 
X and Y as 

X \= -(a f + a), Y := -i(a + - a), (A. 6 ) 

then recalling that coherent states are eigenvectors of coherent states, 
a|a) = a|a), the expectation values of these operators for coherent states 
and squeezed coherent states are [LouOO] : 


(a|!|a) = ^(a|(d T 

+ a) a) = + a ) = Re(a) 

(A. 7) 

(a|T|a) = ^(a|(d T 

— a) a) = -(a* - a) = Im(a) 

(A. 8 ) 

a, QX\a, Q = Re(a) 


(A.9) 

aY\Y\a, 0 =Im(a), 


(A.10) 


where we leave out the calculation of the squeezed coherent state expecta¬ 
tion values (see [LouOO]). Also, using the commutation relation [a, a T ] = 1 
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the expectation of the second moments of the coherent state are 

(a|X 2 |a) = —(a|(a' + a) 2 |a) = -(a * 2 + 2|a | 2 + a 2 + 1) (A.11) 

4 4 

9 1 

= Re(a ) 2 + - (A.12) 

(a|Y 2 |a) = -^-(a|(a' — a) 2 |a) = —(a * 2 — 2|a | 2 + a 2 — 1) (A.13) 

o 1 

= Im(a ) 2 + -. (A. 14) 

These expectations can be used to calculate the variances for coherent 
states and squeezed coherent states, where the squeezing parameter is 
Z=re w , 

(AX) 2 = (X 2 ) - (X ) 2 = J 

(at ) 2 = (y 2 ) - (y ) 2 = J 

<“> 2 = t ( e 2 rsta 2 ( l ) + e " 2 rcos 2 ( 0 ) 

(Ay ) 2 = 1 ^e 2r cos 2 ^ j + e~ 2r sin 2 . 

This means that we can represent a coherent state in the X-Y plane as 
centred on its expected value forX and Y (i.e. (Rea, Ima)) with a region 
surrounding this point inside the variance. It can be shown that any linear 
combination of X and Y also leads to the variance of 1/4, which means 
that this region is a circle (see Fig. A.l). 

For a squeezed coherent state, we can similarly centre the state at 
(Rea, Ima), and the variance is now an ellipse with major axis length e 2r 
and minor axis length e~ 2r at an angle of 6/2 (see Fig. A.l). 


(A.15) 
(A.16) 
(A. 17) 
(A.18) 
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Figure A.l: A coherent state and a squeezed state represented in phase space. 
The coherent vacuum state is centred at the origin with a Gaussian distribution 
of its probability density. The squeezed state is represented as an ellipse centred 
at (Re(a), Im(a)) at an angle 6, whose width is given by the squeezing 
parameter r and with a Gaussian distribution of its density. 
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Appendix B 

Miscellaneous Math 


Here we discuss various mathematical properties used in the main 
text, including fields (Section B.l), Big O Notation (Section B.2), and 
norms (Section B.3). 


B.l Fields 


In mathematics, a field is a set of elements with two operations, called 
addition and multiplication, that satisfy a list of properties. If & is a field, 
a,b,c e & are elements of &, and + and x are the addition and multipli¬ 
cation operations then the operations + and x must satisfy 

• Closure: fl + fejf and ax b ef. 

• Associativity: a + (b + c) = (a + b) + c and a x (b x c) = (a x b) x c. 

• Commutativity: a + b = b + a and a x b = b x a. 

There must also exist identity elements and inverses in 

• Identity elements: There exist elements and such that 

Va e &, a + 0 = a and a x 1 = a. 

• Inverses: For all a e & there exists an element -ael and a -1 e & 

such that a + (-a) = 0 and (except for a = 0) a x a -1 = 1. 

Finally, x should be distributive over +. 

• Distributivity: For all a, b,c e & then a x (b + c) = (a x b) + (a x c). 
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One example of a field are the rational numbers with the usual addi¬ 
tion and multiplication operations from arithmetic. One kind of field we 
use explicitly in Section 3.3 is a finite field, also called a Galois field, GF. 
They only exist when the number of elements are equal to a prime number 
to an integer power, such as 2 n , where n is an integer. An example of a 
Galois field is the set of integers modulo a prime number. 


B.2 Big O Notation 


Given a function of several variables, the limiting behaviour of the 
function can be characterized by its dominant term in a certain limit. For 
example, if the number of signals in a QKD protocol approaches infinity 
then the amount of classical communication needed may scale according 
to a function of the number of signals. We use the following notation from 
computer science to denote this scaling behaviour. 

Definition B.2.1 (Big O notation). Given two functions f and g that map 
from a subset of R to a subset of R then we write /(x) = 0(g(x)) iff there 
exists a constant, c, and a real number x 0 such that 

|/(x)| < c|g(x)| Vx > x 0 . (B.l) 


As an example, consider the function/(x) = 2x+logx, then / = O(x). 


B.3 Norms 


Norms are used to measure the size (in an abstract sense) of vectors 
in a vector space. Formally they are defined as functions from a vector 
space to a subfield of the complex numbers (i.e. a field whose elements 
are complex numbers). A norm is denoted as ||x|| for an element of a 
vector field x e V. For all a e & c C and u, v e V the norm || • || satisfies 
the following properties. 

• Absolute linearity: ||av|| = |a|||v||. 

• Triangle inequality: ||u + v|| < ||u|| + ||v||. 

• Zero vector: If ||v|| = 0 then v is the zero vector. 

We now consider norms that are used in this thesis. 
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Definition B.3.1 (Operator Norm, Infinity Norm). Let L be a linear opera¬ 
tor from J&A to then the operator norm is defined as 



(B.2) 


where |||t/t)|| := \j{ip\ip). This norm is equivalent to the largest singular 
value of L. If L is a normal matrix 1 2 , then the singular values of L are the 


same as the eigenvalues of L. 

Definition B.3.2 (Trace Norm). Let L be a linear operator from ffl A to 
with singular values sfL) then the trace norm is defined as 



(B.3) 


where |L| := \/Ul. 


Definition B.3.3 (Hilbert-Schmidt Norm). Let L be a linear operator from 
#£ A to with singular values sfL) then the Hilbert-Schmidt norm is defined 
as 



(B.4) 


Norms can also be used to define a measure of distance, called a met¬ 
ric. liX is a set, then metrics are functions from X xl to the real numbers 
III. A metric, d, for all x,y,z el has the following defining properties. 

• Non-negativity: d(x,y ) > 0. 

• Identity of indiscernibles: d(x,y) = 0 iff x = y. 

• Symmetry: d(x,y) = d(y,x). 

• Triangle inequality: d(x,z) < d(x,y) + d(y,z). 

To use our norms defined above to define a metric, we simply take 
the difference of two vectors under the norm. The trace norm defines the 
L 1 -distance between two vectors x and y as 



(B.5) 


1 Singular values of an operator, L, are the eigenvalues of \]L f L. 

2 A normal matrix, N, is one that satisfies N~'N = NN r . 
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where x t and y t are the elements of the vectors x and y respectively. As we 
will see below, this norm can also be used as a metric between quantum 
states. 

There is also a quantum generalization of this distance measure. 

Definition B.3.4 (Trace Distance). Let p,cr e S<(Pi?) then the trace distance 
between p and a is defined as 

D{p,cr) := —||p - crlli- (B.6) 


The trace distance can be interpreted as a distinguishing probability. 
Given a state that is guaranteed to be either p or cr then the average 
success probability of correctly guessing which state it is by performing 
the optimal measurement whose outcome indicates that the state is p or 
cr is given by 

1 1 

Pr[guess] = - + - D(p, cr). (B.7) 

Another common quantity that characterizes the distance between 
quantum states is the fidelity. Here we define the fidelity as the gener¬ 
alized fidelity for unnormalized states. 

Definition B.3.5 (Fidelity). Let p,cr e S<(^if) then the generalized fidelity 
between p and cr is defined as 

F(p,a) ^/^Y^TrpXl^Tro]. (B.8) 

Note that if p or a is normalized, then the generalized fidelity reduces to the 
fidelity F(p, a) = H/PV^II i- 

The fidelity is unfortunately not a proper metric (F(p, cr) = 0 iff p = cr 
is not true, but instead F(p, cr) = 1 iff p = cr). However, the fidelity is use¬ 
ful for several properties. One of these properties is its unitary invariance 
(F(p, cr) = F([/pt/', t/crt/ 1 )). Another useful property is that the states can 
be purified (see Section 2.2.1) and the fidelity remains unchanged. 

Theorem B.3.6 (Uhlmann’s Theorem [NCOO]). Let p,cr e yf and let a 
purification of p be \<f) then 

F(p,cr) = max|(-0|0)|, (B.9) 

m 


where |i/>) is a purification of a. 
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One way to turn the fidelity into a metric is by using the purified 
distance. 

Definition B.3.7 (Purified Distance [TCR10]). Let p,a e S<(P$?) then the 
purified distance between p and a is defined as 


P(p,cr) := V1 -F 2 (p,cr). 


(B.10) 


This distance inherits many of the properties of the fidelity, and in 
addition is now a metric. To see the relationship between these various 
distance measures, there is the following set of inequalities. 

Lemma B.3.8 (Relationship of Trace Distance and Fidelity [NCOO]). 


1 - F(p, cr) < D(p, cr) < \fl^F\p^u). 


(B.ll) 


This relationship means that the fidelity and trace distance (and also 
the purified distance) characterize the distance between states in a similar 
way. 

An important property of all of these distances is that they are mono¬ 
tone under CPTP maps. 

Lemma B.3.9 (Distances under CPTP maps [NCOO, Toml2]). Let p,a e 
S<(P*f) and given a CPTP map § from S<(PS?) to S<(J^f / X then 


D{p, cr) > D{S{p), )) 

F(p,a)<F(<?(p),<?(cr)) 
P(p,a)>P(<?(p),<?(c7)). 


(B.12) 

(B.13) 

(B.14) 


In addition, the trace distance is strongly convex. 

Theorem B.3.10 (Strong convexity of the trace distance [NCOO]). Let 
p l ,cr l e S<(P*f) and P and Q be probability distributions with probabilities 
Pi and Qi/or indices i e jA Then 



(B.15) 
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